Splunk Enterprise Security Reviews

Splunk Enterprise Security is mainly used for enterprise defense like cybersecurity threat detection. We have SOAR and SIEM, Security Information and Event Management systems. We feed the data to them, SOAR.

Enterprise security tools, that's what SIEM is. It has multiple products too, including Anvilogic, which they integrate.

Definitely, it helps us to evaluate the threats, especially the risk. However, my scope is very limited to Splunk administration. I think we do use Splunk as primary. We still use the security modules, including the integration of the security modules or the multiple feeds, not only Splunk. We have Elasticsearch and other things, but Splunk is one of the major feeds for them.

I am using Splunk Enterprise version.

I have been using Splunk Enterprise Security solutions for almost the last five years.

The integration and plugin availability are nice. The AI module is also great.

The most challenge was identifying the problems within the infra. I think it's quite short when we compare to others. The reporting on Splunk is much faster than other solutions.

Overall, the product is good, but when it comes to some infrastructure issues, we have to dig into more logs. There is no straightforward indication of an issue. Health check kind of dashboards are not available.

More AI would help us, and more optimization, since security products run more queries. The AI module could suggest solutions, optimizing queries or workload balancing. If the product itself advises on running queries during peak times, it would be similar to what ChatGPT currently offers.

We see quite a few issues on stability. Even last week, we faced something, and identifying bottlenecks is not easy. We need more SMEs, and there is no mechanism to tell us about indexer or search head issues. Self-monitoring dashboards could be beneficial.

The technical support still requires more improvement. Often, primary support takes a lot of time and forwards most solutions to the engineering side. The primary support team has very limited knowledge to provide.

I have been using Splunk Enterprise Security solutions for almost the last five years.

We see quite a few issues on stability. Even last week, we faced something, and identifying bottlenecks is not easy. We need more SMEs, and there is no mechanism to tell us about indexer or search head issues.

Scaling, we have a lot of scale, which is why it took a long time.

Definitely, scalability-wise, it has quite a good feature, but still, I see there are a lot of improvements needed.

The technical support still requires more improvement. Often, primary support takes a lot of time and forwards most solutions to the engineering side. The primary support team has very limited knowledge to provide.

Positive

It was straightforward for our environment, but we had multiple things, including the Splunk universal forwarder and different data sources. This made it a little complicated. However, infrastructure-wise, deployment was easy.

We use it very vastly. We have around 1,200 servers in infrastructure, and it was a very big setup. The planning and execution took a long time. It was phase by phase. But product-wise, it is easy to install, with no complications.

I am part of it.

From overall, around 10 people. They are administrators. We have a segregation of duties, including engineers who do the testing, and once it's tested, we can package it and do the installation.

It is a little expensive, but the enterprise license is okay to have when compared with other solutions. Some products including Tripwire charge based on feeding rates. Enterprise license-wise, we see a benefit compared with other products.

My focus is on SIEM, mainly in the Cloud and Cloud SIEM environments.

Graphically, the interface could be improved. However, the usability is better than other SIEM solutions, in my honest opinion.

We integrate many solutions into Splunk Enterprise Security, including Qualys, CrowdStrike, and other security solutions that we have on the perimeter. We develop use cases based on data that comes from these other solutions.

We have experienced some problems, but with the help of support, we have been able to fix them in most cases. Personally, I am satisfied with Splunk Enterprise Security integration. Splunk Enterprise Security has many out-of-the-box connectors or add-ons created directly by Splunk or by vendors such as CrowdStrike or other platforms. Splunk Enterprise Security's app store contains a lot of integration options and the community is always very helpful for troubleshooting problems that we may have.

We mainly work with SIEM solutions like Splunk Enterprise Security or NetWitness on some occasions.

Positive

The main use cases for Splunk Enterprise Security are primarily threat detection and insight. We have more of a focus on the insider threat, and we have it as a requirement of this new media to address any type of alerts or malicious activity from a special endpoint. Now it's inside.

The two features I appreciate the most in Splunk Enterprise Security are the built-in searches, which have been very easy for us to get started with right out of the box, and the fact that it accesses all of our other systems. You can access it as a pane of glass rather than having to search individually. 

We also have the option to compare our analysts from our service to service. Splunk Enterprise Security helps our SOC team prioritize and investigate high-fidelity alerts more effectively by providing a more in-depth look and the ability to access a lot more of our data. Instead of jumping from several segmented systems, it allows us to have everything brought together in one place.

For example, you have to move from our purview to our build system and to Splunk Enterprise Security, and it enables us to streamline that process. The built-in features of Splunk Enterprise Security, which we recently procured, have given us a good starting point and demonstrated the value of the product, providing an easy way to sell it to our company. 

The ease of getting everything into our purview helps us, and it serves as a good start for the investigation part in one location rather than what we usually have, which is jumping from system to system to system.

Splunk Enterprise Security plays a role in our company's strategy to combat insider threats and advanced persistent threats by currently being in its technical test phase. We are still rolling it out, and it should help us find any insider threats based on information that our policy states should not be present in our system.

Splunk Enterprise Security's risk-based alerting (RBA) has impacted our alert volume and analyst productivity because we've got many different systems feeding into it. However, it has helped to make it easier for our analysts to go through a set of events rather than 100 alerts. RBA allows us to streamline the process and customize it for our analysts.

When it comes to leveraging Splunk Enterprise Security's dashboards and visualizations to communicate security posture to executives, it's pretty straightforward for any type of information. The visualization is easy to understand, but I haven't had any direct conversations with our executives.

It's hard for me to say how Splunk Enterprise Security can be improved because I've seen what they've done with the AI systems, which is going to help a lot once it's rolled out. 

However, one main change I would suggest is related to the incident board: when an incident is resolved, it should not appear on the incident board. It's just a rare occurrence that we open up the incident.

I have been working in my current field for three years now.

The stability and reliability of Splunk Enterprise Security overall have been good. We haven't had it crash, and we haven't experienced any issues with the indexes shutting down.

Most of the problems we've faced have stemmed from the implementation of our systems and with forwarding information into the indexes, but we haven't encountered any issues with Splunk Enterprise Security itself.

I'm not sure how Splunk Enterprise Security scales with the growing needs of our company yet. We have increased the amount of data we can ingest as the project has progressed, which has provided us with better information, however, we haven't rescaled it to a production level.

My thoughts on the customer service and technical support are that it's good. They've been very attentive to us, and we've maintained a bi-weekly cadence call with the A team. We've also collaborated with several of their architects to address problems. 

We've worked with the Splunk community to gather resources to roll out Splunk Enterprise Security, and we've never felt left in the dark when we encountered a problem; they've always been very responsive.

Positive

Prior to adopting Splunk Enterprise Security, we had Purview and our own home-grown threat detection system. I don't know the exact systems we used past Purview, however, I know there were several options.

My experience with deploying Splunk Enterprise Security so far has not been difficult. Everything works smoothly with all the other systems we have. The only issues we've faced have been with the volume of indexes, which is more about how we're finding our data. Past that, installing, updating, and modifying it has all been pretty smooth.

We've worked with the Splunk community to gather resources to roll out Splunk Enterprise Security, and we've never felt left in the dark when we encountered a problem; they've always been very responsive.

The biggest return on investment when using Splunk Enterprise Security is its user-friendliness and how easy it is to adjust pre-built functionalities to fit our system, especially for investigation purposes. 

Additionally, I have found that some of the other programs we use for detection don't pick up as many alerts as Splunk Enterprise Security does.

Regarding my experience with the pricing, setup cost, and licensing of the platform, ours is provided by a different agency. In our situation, the licensing is something we don't really have to handle directly. I can say one issue we've encountered pertains to how our system is set up, specifically indexing data. However, that's more about our infrastructure rather than a Splunk Enterprise Security issue since we have an entirely new Splunk system running that data, and it requires its own license.

Regarding whether Splunk Enterprise Security's ability to ingest and normalize data from diverse sources has enhanced our threat detection capabilities, it is based on a system we have, and since we have a SIM, the data is already segmented coming in. In terms of whether Splunk Enterprise Security has helped reduce our team's average meantime to detect, it's still very early in the rollout phase. I can say that as time goes along, it's a bit quicker and has sped up, however, we haven't yet gotten any specific metrics.

We haven't used UEBA, but we've used UBA, which is what the system is based on. There's Splunk UBA and then there's Splunk UEBA, which is integrated into Splunk Enterprise Security. 

I would rate Splunk Enterprise Security an eight out of ten. 

My advice to other companies considering Splunk Enterprise Security is to avoid setting it up as a separate test system. It's crucial to integrate it into your main system because one of the main issues we've faced is managing the amount of data and understanding that you want to feed it as much data as you can.

Our primary use cases for Splunk Enterprise Security center around comprehensive content management and advanced security monitoring. We leverage the platform to develop and maintain our security use cases, while also supporting large-scale data collection, analytics, and real-time monitoring across our environment.

A key example involves our Office 365 visibility, where Splunk ES helps us track user login activity across geographic regions. This enables us to quickly identify logins from unusual or high-risk locations, investigate anomalies, and provide leadership with meaningful insights through dynamic dashboards.

We also rely on Splunk ES for real-time threat detection, using correlation searches enriched with threat intelligence. By ingesting threat intel feeds and aligning them with our use cases, we can immediately flag activity associated with known malicious IPs or other indicators of compromise.

Overall, Splunk Enterprise Security serves as a critical enabler for proactive detection, informed decision-making, and continuous improvement of our security posture.

Splunk Enterprise Security definitely improved our operations. We improved to almost 20% from what we were doing previously.

From my perspective, the room for improvement in Splunk Enterprise Security is about the number of inbuilt correlation rules that they would generate. Splunk Enterprise Security comes with some native rules and correlation searches. I guess there is an opportunity for Splunk to do even better there.

Pricing is definitely an area for improvement

I’ve been working with Splunk Enterprise Security throughout my career, first adopting it when I joined the organization in 2014. With nearly seven years of hands-on experience, it has remained a core platform in my day-to-day security operations and strategic initiatives.

Ever Since we moved to cloud, I haven't seen any outages. Even their maintenance, because in cloud they are the ones doing the SaaS and everything in the back end, even when they do maintenance changes, I haven't seen any downtime.

Splunk Enterprise Security is pretty fast. If you're looking at the cloud, I don't think it's much of an issue. If you want to scale from your current license capacity to more, I guess it's with ease. If you want me to put it in numbers, I would rate it a 9 or 9.5.

For response time, I can give a 4.5 for sure with Splunk; I never issue with hanging on the phone for hours to get their TAC/ From a quality perspective, the few tickets that I worked on or that I actually established were good. Couple of times it took long to get the TAC understand the issue but it was very rare. 

Neutral

It was an easy and seamless migration. We didn't have any issues. No issues were identified during the migration process.

We use risk-based alerting in Splunk Enterprise Security. Helps better assign the severity to a given alert/notable. In a way you can tag your identities, Assets with risk score and combine them to the risk score for each correlation rule. Helps prioritize where the response time to be spent

For everything, I would rate Splunk Enterprise Security an 8.

I primarily use it for SIEM operations including log monitoring, threat detection, and incident investigation. We collect logs from multiple sources such as firewalls, servers, and cloud platforms and use Splunk Enterprise Security to correlate events and identify suspicious activities. It acts as a centralized platform where we can monitor everything and respond to potential security incidents effectively.

What I like the most about Splunk Enterprise Security is the flexibility and customization it offers. You can create dashboards, write custom SPL queries, and design detections exactly as per your environment. The correlation capabilities are very strong and everything gets visualized in a single place, which makes analysis easier and far better than other solutions. The out-of-the-box apps and Security Essential help significantly by onboarding new data sources or building new use cases more quickly.

Regarding the mean time to resolve and mean time to detect, I have seen one major improvement in incident response time. After proper tuning and process improvements, our mean time to resolve incidents has reduced by around 50 to 60 percent. Splunk Enterprise Security helps prioritize alerts using risk-based scoring, which allows us to determine which incident poses a higher risk to the environment. This makes it easier for SOC teams to focus on critical issues first instead of wasting time on low-value alerts.

Risk-Based Alerting is one of the most useful features in Splunk Enterprise Security. Instead of generating too many individual alerts, we can assign risk scores to different events based on their severity and context. For example, if a user shows multiple suspicious activities such as failed logins, unusual location access, or privilege escalation attempts, each of these events contributes to a cumulative risk score. Once that score crosses a defined threshold, it generates a notable event which helps us focus only on higher priority incidents. This approach has helped us reduce alert fatigue and avoid chasing false positives. It also makes prioritization much easier for the SOC team because we can clearly see which users or systems are actually risky instead of reacting to every single alert.

I would say that the AI component of Splunk Enterprise Security should be improved. The AI and automation features can be improved further. Right now they are helpful, but they heavily depend on accurate data. If the data is not reliable, automation can sometimes lead to incorrect actions. Improving the trust and accuracy of the AI-driven insights would definitely make the platform even better.

Regarding AI-driven detections and assistance, sometimes human error may occur, but with the AI insights of detection, it could be negligible up to 90 to 99 percent. This has helped us considerably. The AI feature for building SPL queries, the Splunk Processing Language, has helped us create queries for our particular use cases, which is a great feature of Splunk Enterprise Security.

I have been using Splunk Enterprise Security for 10 to 11 months.

Regarding stability, I have not faced any major downtime or performance issues so far. It can easily handle large-scale data ingestion very well and is highly scalable, especially for mid-sized to larger organizations where there is a high volume of logs being processed continuously.

Regarding scalability, Splunk Enterprise Security is quite scalable. It supports whatever customization we want and provides all backend capabilities to us. We could make any kind of out-of-the-box dashboards or alerts and any kind of use cases from Splunk Enterprise Security. It is very scalable.

For Splunk Enterprise platform, I have contacted them many times and within 48 hours, we received a good response from them. Not everybody has 100 percent knowledge, so response can take a longer time depending on the issues we are facing.

It depends on the support team. If they have no knowledge regarding Splunk Enterprise Security, then nothing can happen. We could ask them if they have the troubleshooting guide for Splunk Enterprise Security or if we need to contact any other support. It depends on that.

Regarding alternatives to Splunk Enterprise Security, I could say in my experience I have not used this kind of platform particularly. However, I have gone through CrowdStrike incident response and CrowdStrike Falcon. There is Splunk Enterprise Security and there is CrowdStrike Falcon.

The initial setup of Splunk Enterprise Security is manageable if you have experienced resources. It may take a few weeks depending on the environment size and integrations, but overall, the process is straightforward as most of the documentation is provided by Splunk. Most of the effort goes into proper configuration and onboarding data sources rather than the installation itself.

Regarding the impact on operational efficiency, manual work has been reduced. The automation of alerts has helped us significantly. A human could miss alerts, but AI could not so far. Splunk Enterprise Security has helped us considerably regarding this. The AI component of Splunk Enterprise Security is great as it can automate any kind of use case we have and detects and gives us notification for that particular alert. While you could expect a false positive, they are negligible compared to the correct ones they are providing.

Regarding pricing, Splunk Enterprise Security is on the higher side in terms of cost. It is more suitable for enterprises that can fully utilize its capabilities. Smaller organizations might find it expensive, especially when dealing with large volumes of data and licensing models. Splunk Enterprise Security has two kinds of licensing. One is SVC-based licensing and the second one is ingest-based licensing. The old model charged based on the volume of data ingested on a daily basis, while the current SVC-based model charges based on the compute utilized for searching that data, regardless of volume. They have improved the licensing structure, but it is still higher for smaller organizations.

Regarding alternatives to Splunk Enterprise Security, I could say in my experience I have not used this kind of platform particularly. However, I have gone through CrowdStrike incident response and CrowdStrike Falcon. There is Splunk Enterprise Security and there is CrowdStrike Falcon.

Regarding the feature called Risk-Based Alerting, I have tried using it.

For Splunk Enterprise platform, I have contacted them many times and within 48 hours, we received a good response from them. Not everybody has 100 percent knowledge, so response can take a longer time depending on the issues we are facing.

Regarding the impact of Risk-Based Alerting on alert volume or analyst productivity, Risk-Based Alerting is one of the most useful features in Splunk Enterprise Security. Instead of generating too many individual alerts, we can assign risk scores to different events based on their severity and context. For example, if a user shows multiple suspicious activities such as failed logins, unusual location access, or privilege escalation attempts, each of these events contributes to a cumulative risk score. Once that score crosses a defined threshold, it generates a notable event which helps us focus only on higher priority incidents. This approach has helped us reduce alert fatigue and avoid chasing false positives. It also makes prioritization much easier for the SOC team because we can clearly see which users or systems are actually risky instead of reacting to every single alert.

Regarding the impact on operational efficiency, manual work has been reduced. The automation of alerts has helped us significantly. A human could miss alerts, but AI could not so far. Splunk Enterprise Security has helped us considerably regarding this. The AI component is great as it can automate any kind of use case we have and detects and gives us notification for that particular alert. While you could expect a false positive, they are negligible compared to the correct ones we are receiving. I would rate this product eight out of ten.

One significant deployment we executed was for an organization looking to extend and modernize their existing SIEM capabilities. Their primary objective was to strengthen their threat detection, investigation, and response posture, which had outgrown their legacy solution.

As part of this engagement, they also expanded their Security Operations Center — bringing in additional skilled analysts to support the growing operational demand. The architecture we deployed centered around Splunk Enterprise Security as the core SIEM platform, which was then tightly integrated with Splunk SOAR to automate response workflows and accelerate incident handling. This combination of Splunk ES for detection and investigation, paired with Splunk SOAR for orchestration and automated response, delivered a comprehensive and cohesive end-to-end security operations capability.

Splunk Enterprise Security has been a game-changer for many organizations in several meaningful ways. Let me walk you through the key benefits I've personally witnessed:

• Reduced MTTD
• Unified visibility across the enterprise
• Improved SOC analyst productivity
• Stronger Compliance Poster
• Threat Intelligence Integration
• RBA, ER & BL visibility
• Scalability for a Growing Environment

Eventually,  Splunk Enterprise Security didn't just improve our security posture — it transformed our security operations from a reactive, log-drowning function into a proactive, intelligence-driven capability.  That transformation is something I'm deeply proud of from my tenure.

In my experience, the strongest feature of Splunk Enterprise Security is its bundling. The way it bundles the data platform, SIEM, workflows, and analytics into a single unified solution is what truly sets it apart. Unlike traditional approaches where each of these capabilities comes as a separate tool requiring separate integration effort, Splunk ES has bundled them together exceptionally well — and that bundling is what delivers the most value.

We validated this firsthand during a Proof of Value (POV) exercise, where we ingested data from a variety of heterogeneous security sources into Splunk ES. What stood out immediately was how the platform correlated everything automatically — across logs, events, and network data — without requiring manual intervention. This built-in, default correlation not only unified our visibility but also significantly reduced the database footprint by eliminating redundant, siloed data storage. The result was noticeably faster queries and a much quicker path to issue resolution — something that directly translates to improved MTTR in a real SOC environment.

On the analytics side, Risk-Based Analytics proved invaluable, particularly in complex, multi-failure scenarios where traditional alert-driven approaches would have struggled. Whether it was flagging authentication attempts from suspicious foreign IPs or detecting subtle privilege escalation patterns, RBA surfaced these threats with clarity and context. What I also appreciated was how RBA made it easy to compare outcomes across different threat scenarios and evaluate the effectiveness of our response options in a structured way.

Above all, the most significant advantage of RBA is that it does not generate alert fatigue. Analysts are not buried under thousands of low-context alerts. Instead, they work with risk-scored, entity-centric narratives that tell a coherent threat story — making the SOC sharper, faster, and far more effective.

Complex Setup and Configuration

In my personal opinion, the initial setup and configuration process is notably complex and tedious. It is not a plug-and-play solution by any means. We frequently had to engage Splunk support during deployment and fine-tuning phases. During testing, the risk scores did not always behave as expected — which is concerning when you are making detection decisions based on those scores. Unlike some competing tools that offer simpler, more intuitive alerting out of the box, Splunk ES can sometimes result in ineffective detection or missed threats if the design and configuration are not executed with precision. The platform rewards expertise but penalizes poor configuration.

Alert Calibration — A Boolean Problem

In my personal opinion, one of the most frustrating challenges I encountered was around alert calibration. It behaves almost like a boolean switch — either you are flooded with an overwhelming volume of alerts, or the moment you make one or two configuration adjustments to suppress the noise, the alerts stop firing altogether. There is very little middle ground. This calibration mechanism needs significant improvement to give security teams the fine-grained control they need for effective operations.

Cost vs. Value — Not a One-Size-Fits-All Solution

In my personal opinion, Splunk Enterprise Security is premium-priced, and in my view, the value it delivers is highly dependent on the nature of the organization. For financial institutions, oil and gas companies, and utility providers — where data security, operational continuity, and regulatory compliance are mission-critical — the investment is absolutely justified. However, for retail or FMCG organizations, where operations are predominantly machine-driven rather than computer-dependent, the cost-to-value ratio becomes questionable. There is always a trade-off between efficiency, cost, and time — and for FMCG companies, that trade-off rarely favors a solution of this scale and price point.

I have been working with Splunk Enterprise Security for few years now as part of my broader cybersecurity career spanning over two decades.  In my experience across various roles, I have used Splunk ES extensively for:

• Threat detection & correlation — building custom correlation searches aligned to MITRE ATT&CK
• SOC operations — managing notable events, incident triage, and response workflows
• Security monitoring — dashboards for executive reporting and operational visibility
• Compliance use cases — mapping detections to frameworks like ISO 27001, NIST, and PCI-DSS
• Threat intelligence integration — feeding IOCs into Splunk ES for enrichment

If Splunk Enterprise Security had been available during a ransomware incident, the scenario would have been completely different. Combined with Rubrik, this is a good solution for ransomware recovery. Recovery was quick, but it would have been even quicker with this tool in place.

If a zero-day vulnerability occurs, it takes a week to resolve. Known vulnerabilities are a different story. In unknown-unknown scenarios, we depend on the threat intelligence server. If the threat intelligence server has not logged the threat anywhere in the world, we will be in trouble. Before threats are logged on the threat intelligence server, we struggle to address them.

Splunk is faster in comparison with other tools. The integration of threat intelligence with Splunk Enterprise Security, SIEM, and SOAR is very good. If Splunk continues building tools like this, security teams may lose their roles.

Splunk Enterprise Security's scalability is one of its stronger suits, though it comes with an important caveat — the path to scalability is preceded by a complex and tedious initial setup. Once that foundational groundwork is properly laid, however, the platform scales remarkably well.

Support is very good.

Yes, prior to adopting Splunk Enterprise Security, one of the organizations we worked with was running Open Source - SIEM — which is one of the most widely adopted open-source SIEM solutions in the market.

Why "Open Source - SIEM"  Initially Made Sense?

For a growing organization with budget constraints, OSSIM was an attractive starting point. It offered core SIEM capabilities — log management, event correlation, asset discovery, and basic threat detection — without the significant licensing costs associated with enterprise platforms. For its time and price point, it served its purpose reasonably well.

Why We Outgrew "Open Source - SIEM" ?

As our infrastructure grew in complexity — particularly as we moved toward hybrid and multi-cloud environments — Open Source - SIEM's limitations became increasingly apparent:

• 
  Scalability Constraints — Struggled to handle growing data volumes and diverse data sources at enterprise scale
• 
  Limited Correlation Depth — Basic correlation rules resulted in missed detections and higher false positive rates
• 
  No Risk-Based Analytics — Absence of an RBA framework meant analysts were constantly battling alert fatigue
• 
  Maintenance Overhead — Being open-source, the platform demanded significant internal resources for patching, maintenance, and custom integrations — effort that could have been better utilized elsewhere
• 
  Enterprise Support Gap — Reliance on community forums rather than dedicated enterprise-grade support was an unacceptable operational risk as our environment matured

During testing, we observed that risk scores did not always align with our expectations — certain scenarios produced lower-than-expected values or failed to trigger detections altogether. However, attributing this solely to poor design would be an oversimplification.

In reality, the root causes are more nuanced:

• Configuration Complexity — Splunk ES's RBA framework is highly sensitive to how risk rules, asset context, threat intelligence, and correlation searches are calibrated. Any miscalibration across these layers directly impacts scoring accuracy.
• Data Quality & CIM Normalization — If incoming data is not properly normalized to Splunk's Common Information Model, correlation searches simply will not fire as expected — this is a data onboarding issue, not a platform flaw.
• Insufficient Baselining — RBA needs adequate time to learn normal behavior before anomalies can be meaningfully scored. Expecting accurate results during early testing phases is unrealistic.

Unlike simpler tools that fire straightforward binary alerts, Splunk ES's contextual, risk-driven approach demands greater investment in design, onboarding, and tuning. Missed detections are therefore more a consequence of incomplete configuration and insufficient baselining than a fundamental platform weakness.

Yes, for our Splunk Enterprise Security deployment, we engaged a Systems Integrator — whose name I'd prefer to keep confidential — to handle the implementation.

The overall experience was positive but not without challenges:

• Strengths — Their Splunk-certified consultants brought solid deployment experience, handled the initial architecture design competently, and ensured the core platform was stood up within the agreed timeline.
• Data Onboarding — Onboarding data from heterogeneous security sources required significant back-and-forth, and their familiarity with some of our niche data sources was limited, which added to the timeline.
• Knowledge Transfer — While the deployment was executed well, the knowledge transfer to our internal team was insufficient. Post-deployment, we found ourselves heavily dependent on the integrator for tuning and configuration changes — something that should have been addressed more proactively.
• Support Escalations — For complex RBA tuning and correlation search customization, the integrator frequently had to escalate directly to Splunk Professional Services, which added delays.

Overall, the deployment was functional, but I would strongly recommend organizations negotiate comprehensive knowledge transfer and tuning support as non-negotiable deliverables in any such engagement.

When a zero-day vulnerability is discovered, the resolution timeline can realistically range from days to weeks, depending on the complexity of the vulnerability and the vendor's response time. Known vulnerabilities, on the other hand, are a different story entirely — with established signatures, patches, and detection rules already available, our response is significantly faster and more structured.

The real challenge lies in unknown-unknown scenarios — threats that have never been seen or documented anywhere in the world. In such cases, we lean heavily on Threat Intelligence platforms and feeds to provide context and detection guidance. However, this creates an inherent dependency — if a novel threat has not yet been observed, analyzed, and logged by the global threat intelligence community, our detection capability is naturally limited.

This is the fundamental gap in any reactive, signature-based or intelligence-dependent detection model. Before a threat is identified, documented, and propagated across threat intelligence servers globally, organizations are essentially operating blind — relying on behavioral analytics, anomaly detection, and heuristic-based approaches within Splunk ES to catch what signatures cannot. This is precisely where Risk-Based Analytics and User and Entity Behavior Analytics (UEBA) become critical compensating controls to bridge that detection gap.

Over the years, Splunk has gradually established itself as the dominant market leader in the enterprise SIEM space — and with that dominance comes a certain pricing confidence that works against the customer. A market leader with little competitive pressure has very limited incentive to rationalize or reduce costs, and Splunk is no exception to that pattern. The pricing strategy reflects their market position more than it reflects the actual cost of delivery.

That said, alternatives do exist in the space — whether it is Microsoft Sentinel, IBM QRadar, or emerging cloud-native SIEM platforms — though none, in my assessment, currently match the breadth, depth, and maturity that Splunk ES brings to the table at enterprise scale. Organizations must therefore make a strategic choice — either absorb the premium pricing that comes with market leadership, or accept certain capability trade-offs by going with an alternative solution.

In the enterprise SIEM and security analytics space, notable competitors include SentinelOne and IBM QRadar, among others. Splunk Enterprise Security continues to hold a clear market leadership position in terms of platform maturity, feature depth, and ecosystem breadth.

That said, I want to be transparent — we have not conducted a formal, structured pairwise comparison between Splunk ES and its competitors. The reason is practical rather than oversight. In our experience across multiple customer engagements, tool selection is rarely driven by a head-to-head competitive evaluation. More often than not, organizations choose their security platform based on specific use cases, existing infrastructure, regulatory requirements, and organizational maturity — and we were not always part of the initial selection process. In many engagements, the tool was already chosen by the time we came on board as an integrator or consultant.

Therefore, while I can speak confidently to Splunk ES's strengths and limitations from deep hands-on experience, a definitive side-by-side competitive assessment would require a more structured evaluation exercise than what our engagements have afforded us thus far.

The platform's ability to predict, identify, and resolve threats in real time is exceptional — but that capability is not absolute. It is heavily contingent on the team behind the platform. A highly skilled, experienced team with deep knowledge of Splunk's configuration complexity can genuinely extract a 9 out of 10 level of performance from the platform. However, a growing or maturing team navigating diverse and complex scenarios — particularly in hybrid and multi-cloud environments — would realistically deliver around 8 out of 10, as the learning curve and operational complexity inevitably introduce some gaps.

The one point I withhold from a perfect score is precisely because of this team dependency — the platform's effectiveness ceiling is ultimately defined by the people operating it, not the technology alone.

Splunk Enterprise Security has helped reduce my team's average meantime to detect insider threats, which I discussed at a conference a few years ago. Previously, it would take us days to properly analyze, triage, and respond to insider threats. Now with risk-based alerting, we are able to reduce that to 10 minutes. 

This is a powerful metric on the amount of time saved. Not only are we saving time, we're able to apply investigations in a more uniform and consistent manner where we're able to control the output, ensuring we're delivering consistent and valuable products each time we perform investigations or responses.

If you want to use some of the out-of-the-box and more guided features, you have that, and if it meets your team's needs, that's great. If you also want to start to grow and mature beyond those out-of-the-box capabilities, it gives you this wide-open road to be able to create and develop your own applications, response capabilities, and detection capabilities, where your limitations are really only your imagination and what your team's able to accomplish. This is something powerful with Splunk that other vendors aren't replicating.

I've used it for a long time and I still feel it's the best tool out there. I love what the team is doing. They refreshed the user interface recently, they've got version control coming, and they're doing more exciting things. 

I'm really excited to see them continue to improve by making the SIEM the central point of what security teams are doing and operating instead of having multiple tools such as SOAR or UEBA. 

With Splunk Enterprise Security and Mission Control, everything is coming back into one place. We're able to operate from a single source to take an alert and get to an actionable state much quicker. I'm really excited to see how they continue to grow and evolve that.

I have been really impressed with the stability and reliability of Splunk Enterprise Security over the last ten years as we've had very few incidents where it was down or we had an issue. 

Typically when we've had issues, it was something more self-initiated where we had a piece of hardware that failed. It wasn't ES's fault. I've been really happy that it's delivered very consistent user performance. Performance delivery for us hasn't been a constant pain or nightmare that I've dealt with other vendors where the tool is constantly up and down. Splunk has been very reliable and very consistent.

I've seen Splunk Enterprise Security scale from a 300-gig license to a 30-terabyte-a-day license. The infrastructure and different options allow you to scale at the pace that makes sense for you and your organization, whether that's large scale or something smaller to midsize. There are many different options at your fingertips to create the right architecture that meets your needs.

I find the customer service and technical support of the platform to be amazing. It's done better at Splunk than I've seen any other vendor do. 

We've had great customer success managers who have helped us navigate scaling from 600 gigs to 30 terabytes. We've always had the architecture team, security team, or other experts whenever we've needed them or wanted to consult on our growth or future. 

The Splunk community is amazing as it's not just help we have to go to Splunk for. There's a vibrant community we can reach out to for answers from other Splunk users on how they're solving problems and what challenges they're facing and solving. We've got all these sources we can rely on and not just a vendor giving us the answer they want us to hear.

Positive

Prior to adopting Splunk Enterprise Security, I have used quite a few different SIEMs and have done many proof of values throughout the years. There are many SIEMs that have similar features and capabilities. As an industry, they all brag that they can do similar things. What it really comes down to is establishing what you want your team to be able to do and accomplish. When you are able to write that out and compare it against what the market is doing, you're going to consistently find that Splunk is doing it better, if not miles better than the nearest competition.

When deploying Enterprise Security, the biggest challenge or the most amount of work that you're going to spend time on is onboarding your data and getting it into a position that allows you to search it uniformly. So applying things like the common information model is the biggest time investment that you'll have in the deployment. 

The actual configurations of alerts and dashboards and all of that happen rather smoothly once your data is uniform. One of the powerful aspects of this is that it allows you to search across similar languages, hit multiple data sources and indexes, and make the most of your datasets. That's something that I really like. 

While it might be an initial upfront investment on data onboarding, it's going to be something that makes your life incredibly easy once you get beyond that point.

The biggest return on investment when using Splunk Enterprise Security is that it gives you control.

One of the things I hear a lot is that it's expensive. We've tried to move beyond just a single line item on a spreadsheet to talk more about what's valuable to us as a security organization. What are we trying to do and accomplish? What are the tools we need to accomplish all of that? What I've found over the last 20 years is it's either going to be one big line item on your budget or a bunch of smaller line items. When you break it down and individualize it, you've got other things that might initially cost less, however, your cost over the years is going to end up being more than Splunk. 

The initial license ask is typically more than what we'd see with other vendors. The value it provides and the capabilities it gives us, when we look at what other tools can do, we would end up spending more just to meet that same level of capabilities. It's important that everybody understands SIEM value isn't just a singular license cost. There are many other components that come into play that really show value and true cost.

The biggest advice I would give to anybody considering Splunk Enterprise Security is to understand what you want your organization to look like. What kind of things do you need your SOC to do? If you're just looking at doing basic auditing and alerting and reporting, there are features you can use. 

If you're wanting to do more threat hunting and incident response and go from ordinary to extraordinary, there are many features Splunk will help you utilize. It's really important that you understand what you want your SOC's identity to look like. 

As you partner and do your proof of value with Splunk, you can focus on those features that align to your immediate needs, as those you're curious about growing into, where you might see your organization in the next one year, two year, three year, five year type of journey and how those features really align, knowing that you've got a partner that's going to allow you to happily exist where you're at, yet also support you on the growth where you're wanting to go. 

I'd rate the solution nine out of ten.

My main use cases for Splunk Enterprise Security include extensive security operations.

Splunk Enterprise Security has helped improve my organization's business resilience. The more I know, the more I can see, and the better my security stance becomes due to inherent visibility.

We did use risk-based alerting in Splunk Enterprise Security. We had to refine the data model based on the initial risk-based alerting model as, when we fed it raw data, the data models built, and there were many endpoints and network devices that had a high-risk score just because the data was new. Those risk scores carried over with weights, so we had to go back in and cleanse the risk score model and rebuild it once we had good data and logs going into the ES platform.

If they could implement an out-of-the-box solution, it would be almost an AI data onboarding system that automatically identifies the fields that are SIM compliant, Common Information Model compliant, and then immediately applies those to a data model, builds a data model, and starts the SIM searches against those data models. A lot of the work for Splunk Enterprise Security happens on the back end, not the front end, so that's where you can really trim down your resource need and expertise if you supplement that with automated or artificial intelligence.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat protection are integration with other platforms and noise. Alerts from Splunk Enterprise Security generate many alerts, which take time to move through, assess, analyze, and determine whether they are true or false positives, and then go back and redundantly tune.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be cumbersome. Custom use cases are also cumbersome. You need someone very skilled at Splunk and data modeling to get to a point where you create something inside SPL that allows you to detect what you want.

There is not much predictive analysis happening in Splunk, and I hope that with the new AI toolkit allowing for the deployment of custom AI models and large language models within Splunk, along with additional advanced mathematical capabilities for vector analysis, the prediction and ability for Splunk Enterprise Security to add value to detections will increase.

I have a lot of experience using Splunk Enterprise Security.

I would assess the stability and reliability of Splunk Enterprise Security as typically very good, with minimal downtime or crashes.

We haven't expanded our usage of Splunk Enterprise Security; we used it by default from the start. The expanded usage is simply adding more information and logging to gain better insights.

I evaluate customer service and technical support as normally very good. When it's not, I reach out to my sales representative and my SE. I have a great SE, Jonathan Wilson, who jumps right in to solve issues when we need help or engagement.

Customer support has room for improvement, particularly in terms of speed and the ability to escalate issues to more senior personnel. I understand the need for a tiered approach, but I believe some issues should move more rapidly to a senior person.

Positive

Prior to adopting Splunk Enterprise Security, we were not using any other solution to address similar needs.

It's the human element there. It's helpful to have the expertise and the people to really take those data models and build them, refine them, get everything into the common information model on the back end so that, on the front end, you're getting the best data possible and you don't have to rebuild those models like we had to do with the risk score.

I have seen a return on investment with Splunk Enterprise Security. We went from almost no visibility to significant visibility across the enterprise, allowing us to see threats that were previously unknown or unregistered, which increased our security stance and made us understand we needed to look beyond the perimeter for internal threats and for lateral movement, east-west versus just north-south.

I helped negotiate the cost. Our sales rep is is really good, and we had a good understanding. The more you know about the product, the easier it is to negotiate. If you're not aware of how the product works, what the ingestion's like, especially Splunk Cloud with the SBC units and AWS, and how impactful that can be to queries and optimization and just general operations, it becomes very difficult if you're trying to maintain a certain price point for cost effectiveness. It it can be difficult to get an optimum amount of credits and SBCs in order to run what you need to run.

My advice to other organizations considering Splunk Enterprise Security is that while not everyone needs the top breed, ensure you have the resources and time to invest in it if you decide to use it. Anything off the shelf won't be as valuable as something you invest in and put time into, so the more you put in, the more you get out.

I would rate Splunk Enterprise Security overall as probably an eight out of ten; it is industry-leading.

My main use cases for Splunk Enterprise Security are cloud-based use cases.

The features I appreciate the most are the content. I use the content, enable, and see how that works. They give me ideas on how to tune something or determine if that use case is proper for us, or I can take the idea of that use case and customize it based on our needs. 

Splunk Enterprise Security has helped improve my organization's business resilience.

I do use disparate security solutions that integrate or import data into Splunk Enterprise Security. The integration of these solutions supports our security operations. That's the part I work on with the architect. I'm not fully familiar with that, but when we talk, he mentions those integrations and that seems to be good from that perspective because we are separate. We have separation of duty between the architect, security engineer, and analyst.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be good. My organization uses risk-based alerting in Splunk Enterprise Security for three or four use cases. We have one active for user, cloud users, with data from Microsoft 365. We elevate the risk of users based on behavior and conditional access. It gives us visibility of which users are at real risk based on the configuration we have.

My security ops team takes around 30 minutes to one hour to remediate security incidents with Splunk Enterprise Security compared to a previous solution. They previously did everything manually with the last solution, opening tickets manually and jumping between platforms, the ITSM platform, the same platform. Now with Splunk Enterprise Security, we have everything in one place. The notables are created automatically, but they can also create their own notables based on the investigation. That improved and reduced about 50% of the manual work that was done before versus what we are doing now.

In terms of how Splunk Enterprise Security can be improved, based on the last version I'm seeing here, as we are a bit behind,is the Mission Control. It is something that I have heard and tested on a couple of labs that is very good for unifying everything. There are additional features I would want to see included in the next release. We're planning to incorporate UBA and SOAR. It would be good to have everything in one place.

I have been using Splunk Enterprise Security for two years.

The stability and reliability of Splunk Enterprise Security that I would assess depend on our on-premises setup.

Splunk Enterprise Security scales with the growing needs of my organization; however, that's more the architect's domain. We had licensing for 500 gigabytes, then we extended it to 1 terabyte. Now we have 1.5, and we are going to extend to 2.5.

I would evaluate customer service and technical support as good, rating them a nine out of ten. I'm usually not the one who opens tickets. The couple of times that I have opened tickets with Splunk, they were very good. The only thing I was expecting is that they would follow up with me.

Positive

Prior to adopting Splunk Enterprise Security, I was using Microsoft Sentinel to address similar needs.

The initial setup process was good.

I have not seen ROI with Splunk Enterprise Security. 

I don't work with the numbers, licensing, and related aspects. The architect handles that part.

I wasn't in the organization when they made the decision, however, based on what I heard, the factors that led to the change were all the detection capabilities, and at that time, they were looking for a solution that was mature enough to implement. At that time, Microsoft Sentinel was not the right solution.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are related to the data. Onboarding the data, trying to get only what we want and what matters for security is a challenge every day. We're trying to onboard what matters and what is significant for security. We use Splunk solely for security purposes. Some people see Splunk as a data analytics tool, which it is, but changing people's minds that we use Splunk for security is an everyday challenge.

I am not using any new threat detection features in Splunk Enterprise Security currently. My impressions of its ability to predict, identify, and solve problems in real time are good, even though we don't use many things out of the box. We use most of the out-of-the-box features and customize them. We have just a few out-of-the-box use cases in place.

The advice I would give to other organizations considering it is to send people to training before getting Splunk Enterprise Security. You can use my real name when publishing my review.

On a scale of one to ten, I would rate Splunk Enterprise Security a nine.

The business case we use Splunk Enterprise Security for is internal security and organizational security purposes. We use it for all kinds of use cases, depending on the project.

We are satisfied with Splunk Enterprise Security, and it comes with a wide number of out-of-the-box applications which do help us to fix the problems. The out-of-the-box applications are majorly important for any log source onboarding. When you bring in log sources, you can do anything with it. It has inbuilt Security Essentials, which is the application that helps when you get a lot of log types onboarded, enhancing the use cases based on what you need. For example, after onboarding XYZ log sources, you can develop use cases based on that, such as security contents on that, then you can take it ahead. Those features are the best which we have.

After that, you can develop advanced dashboards or use the new AI feature that can translate something you say into SPL language, making it easy for us. Those features are better right now.

Splunk Enterprise Security has achieved a high level of product functionality. Improvements can focus on bringing various features together for easier use and potentially addressing human versus machine threats with AI-based detection, along with educating organizations about compliance.

I have been working with Splunk Enterprise Security for almost four years now.

Data ingestion is crucial, and I have mentioned this feedback in previous calls. Splunk Enterprise Security is stable and provides a good infrastructure for large organizations. For a Splunk Enterprise Security product in organizations with 20,000 to 80,000 people, it is very stable. However, for smaller organizations, the deployment and management can be expensive, leading them to choose other SIEM tools. For mid-sized organizations, Splunk Enterprise Security is indeed the best option, especially when ingesting a lot of data.

Data ingestion is crucial, and I have mentioned this feedback in previous calls. Splunk Enterprise Security is stable and provides a good infrastructure for large organizations. For a Splunk Enterprise Security product in organizations with 20,000 to 80,000 people, it is very stable. However, for smaller organizations, the deployment and management can be expensive, leading them to choose other SIEM tools. For mid-sized organizations, Splunk Enterprise Security is indeed the best option, especially when ingesting a lot of data.

We were previously using IBM QRadar and McAfee products, but right now we haven't explored that part because for a few years, I am working for an organization where we only explore Splunk Enterprise Security or Azure Sentinel or any freeware market SIEM solution. That is the kind of project I am doing right now, but I am not working with IBM QRadar.

The setup process for Splunk Enterprise Security is simple. An experienced technician can complete a systematic installation within a few weeks. Splunk Enterprise Security offers success partner provisioning for additional support and implementation.

We usually use Splunk Enterprise Security and Azure Sentinel, and we are researching Wazuh EDR and solution.

Right now we are working on Tines and Scramble, and there are few SOARs which we are looking at like LogRhythm and Sumo Logic source. We are assessing the products right now. We haven't adopted any of them right away.

There is integration between third parties with Splunk Enterprise Security. For example, we can connect a Tenable vulnerability assessment tool. It has inbuilt features to trigger automation actions. We have integrated a lot of products, and when you want to trigger SOAR or something of that nature, third-party applications are already available. For instance, when you integrate Tines, there are extensions available, making it a more powerful tool. This systematic integration is beneficial to us.

Regarding risk-based alerting in Splunk Enterprise Security, there are a lot of contents available from Splunk used as rules or searches. If we design systematic inputs and use cases, it does provide a lot of threat-based detection, showing what detection is happening right now and how advanced automation is expected to happen. Those visibilities are available with Security Essentials.

The resolution of security incidents using Splunk Enterprise Security is quite faster. However, faster remediation ultimately depends on the security operations. The detection with Splunk Enterprise Security is effective, but the story starts afterward. In the actual products, such as Splunk Enterprise Security, 20 to 30% of the time is spent on detection and investigation for incidents. The combination of Splunk Enterprise Security, ITSM tools, and SOAR on a single platform provides a value-add, allowing for a more efficient resolution process while considering costs for security teams.

For threat detection features in Splunk Enterprise Security, it is necessary to build use cases. SIEM tools are not purely threat detection tools; they are notification tools for threats detected elsewhere. We can do anomaly detection, but detecting actual threats requires specific signatures that we haven't explored yet in depth.

For threat detection features, it is vital to build use cases and compare anomalies such as a significant increase in login attempts. Anomalies can be detected in Splunk Enterprise Security, but defining signatures for threats is a task we still need to explore.

We work in both cloud and on-premises models, with our on-premises being integrated with cloud services from certain vendors. I would rate this product overall a 9 out of 10.