Splunk Enterprise Security Valuable Features
The most valuable features of Splunk Enterprise Security are the main component, which is the correlation engine that can specify detailed conditions such as how many events there need to be, what notification I will get, and if I get it per event or one per batch.
There is also throttling; in basic Splunk, there is no throttling at all. In Splunk Enterprise Security, there is an additional layer of control of these alerts. I appreciate the correlations and the alerts in that product.
The asset management is particularly useful. We can enable asset lookups to show in every event. We define one, and it will translate to all events, allowing asset management to be easy.
Splunk Enterprise Security helps to reduce alert volume because the language is similar to SQL with Google-style functionality above it. We can use these terms to specify what is in the allow list. We can specify what's in lookups, what should be there, and what's not. It definitely helps to reduce the numbers of full score.
Splunk Enterprise Security helps to speed up security investigations. When the finding is created, there are many correlations. You can quickly see what asset it is, what identity is involved, and you see the historical progress of what happened. Right from the findings, you can call VirusTotal and other resources, which is definitely helping.
I assess Splunk Enterprise Security's insider threat detection capabilities for helping to find unknown threats and anomalous user behavior as great. It regularly checks new events through the correlation search and compares them with threat intelligence. The threat intelligence is refreshed regularly, downloading new threat information. Splunk has a special research team for security content and intelligence, which distributes its own threat list to Splunk Enterprise Security.
It's great for finding anonymous threats. It checks new events and also works with the latest threat intelligence. At least once a day, it develops new threat information. In Splunk, there is a special research team. They are also distributing their own threat lists. The solution is capable of very good threat detection.
In basic SPL, with the Splunk query language, we can detect brute force without threats. It scans every event, and if it finds patterns, IOCs, it can trigger notable events, which are now called findings. The new version includes an internal Git repository, so when the SOC team makes improvements to the correlation search and makes changes, it automatically keeps a history of that correlation search, what was changed, when, by whom, and you can revert if it breaks.
The value that Splunk Enterprise Security offers in resilience is vital. It helps customers distributing gas across the Slovak Republic, ensuring that critical infrastructure, such as operational pipelines, are running. If there were an outage that delayed recovery, the economic impact could be significant.
It's good for analyzing malicious activities and detecting breaches. The interface sometimes can be very essential.
Splunk has helped us reduce alert volume. We can use terms to specify what is whitelisted and we can search like we would on Google.
We've been able to speed up security investigations. We a finding is created, there are many correlations. You can quickly see the asset, the identity involved, the history, et cetera.
View full review »The specific features I find the most valuable in Splunk Enterprise Security include the amazing UI and good integrations, and I can say this from a practitioner standpoint.
It is just comfortable. Splunk Enterprise Security is easy to use for an analyst, and the whole analyst experience is great; it is pretty insane. It is honestly very addicting.
As I told my fellow colleagues, they love using Splunk Enterprise Security. Once you go to any other platform, it is similar to going through withdrawal sometimes. You have to set up use cases, update data models, and link the right use cases to the right data models for those detections to happen.
In terms of challenges, there are none; Splunk Enterprise Security is one of the best vendors in the security analytics space.
Splunk Enterprise Security has implemented improvements that may help reduce false positives, as it has some amazing features that go underutilized, such as the machine learning toolkit. The gap in skill set within the SOC environment is the reason for this underutilization.
Splunk has some amazing features we are not utilizing. For example, ML. I have not specifically utilized AI-driven security initiatives or machine learning within Splunk Enterprise Security; even the ML toolkit is not related to advanced AI components. It operates more an advanced SQL query based on existing data trends without offering out-of-the-box advanced ML capabilities to provide significant value.
The dashboards for some default use cases are provided. Similarly, default dashboards and reports are provided. You can pivot off of these and drill down on your investigations. The Splunk query language is definitely very easy to understand and use on a regular basis. The learning curve is also very low. So, from a practitioner standpoint, you're not going to face so much struggle in learning the Splunk query language. In fact, for other solutions, you might need AI capabilities to translate natural language.
Additionally, Splunk Enterprise Security claims to reduce data storage to a certain extent. I'm not sure if that's the case, however, I have heard that that was the case.
Lookup tables are very useful in Splunk.
View full review »They have approximately 50,000 predefined correlation rules, which is quite a lot, and I find that good.
View full review »Buyer's Guide
Splunk Enterprise Security
June 2025

Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,803 professionals have used our research since 2012.
The most valuable features of Splunk Enterprise Security are several add-ons and TAs, while the lack of a DB requirement is a significant advantage for the business, allowing easier management without needing in-depth DB knowledge. I find that Splunk Enterprise Security's ability to import data from various sources, including looking up Excel files, is quite effective, providing a good way for management.
We import data from several unique data sources into Splunk Enterprise Security, possibly more than a hundred because we have AWS and multiple servers. We have disparate security solutions that integrate data into Splunk Enterprise Security. I can still query data in Splunk Enterprise Security regardless of where it resides, and in my perspective, the query provides data quickly.
Splunk Enterprise Security has improved our organization's ability to ingest and normalize data compared to before using Splunk Enterprise Security. The unified platform helps consolidate networking, security, and IT observability tools, which is very relevant to our internal needs. Using Splunk Enterprise Security, our focus was not on reducing alert volume but on properly finding and handling alerts; we've managed to capture 100% of them effectively.
Splunk Enterprise Security provides the relevant context to help guide investigations by allowing us to share application logs and details with clients efficiently. We utilize out-of-the-box detections in Splunk Enterprise Security, and we have created dashboards that add value to our monitoring efforts. Customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is easy; it has been a good experience without significant difficulties.
We upgraded to Splunk Enterprise Security from version 8.0.4 to 9.0.6, and also from 8.1.4 to 9.0.6; it worked well with the support we received from the team, and it has proven to be very useful. Splunk Enterprise Security provides the foundation for unified threat detection, investigation, and response, enabling fast identification of critical issues.
View full review »AA
Akif Arayici
DevOps&Cloud Engineer Mentee at CertDirectory.io
The best feature of Splunk Enterprise Security is the documentation. Splunk Enterprise Security's documentation is well-organized. For example, if you have a problem or if you want to read about what you're looking for, you can easily go there and read from the documentation. It also has many resources worldwide. It is a de facto standard of the SIEM solutions. For example, I have used IBM QRadar, which is another solution many companies are using.
One of the most beneficial use cases for me is that Splunk Enterprise Security is fast. I cannot speak to how the SIEMs work in the backend, but I can say it is fast to find any logs.
Its UX and UI experience is getting better. It is much better than one year ago. Some of the buttons and other features are much easier to locate and choose. The user interactions are much better than one year ago. The advanced queries are much faster. The UI design is much better. That is one of the best changes that happened in one year.
View full review »Splunk Enterprise Security's most valuable features are its stability and the robust Splunk Search Processing Language, allowing extensive customization and analysis capabilities.
View full review »PS
Prasenjit Saha
CEO at CygenIQ
The Splunk Enterprise Security's threat-hunting capabilities have been particularly useful in later releases.
I can create dashboards to collect and view information in a tabular, graphical format. This feature is important because it helps me understand time-series data over one or two hours. It creates graphs, allowing us to check spikes and examine average values and 90th and 95th percentile values. This capability is useful for performance monitoring and issue identification. I believe it has helped speed up security investigations.
View full review »MG
Madhu Gurindapalli
Security Consultant at Matiq
The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics. Based on this feature, we can identify anomalies in any activity from the user or device.
It serves as a single pane of glass for all the security-related events. It helps cross-correlate with minimal manual intervention, detect true positives, and take remediation steps in an orchestrated manner. It is very efficient. It's a top solution in Gartner Quadrants and Datamatics.
View full review »DK
DR. Kundankumar
Manager of Security Operations Center at Wipro Limited
The two features I like most in Splunk Enterprise Security are the content management system and the inter-incident review dashboard. The incident review dashboard allows us to directly view significant events triggered by the use cases I've configured within the content management system.
View full review »The best features of Splunk Enterprise Security are the correlation rules and automation over the correlation rules. We can trigger alerts and notifications. The alerting and notification mechanism is really powerful and good.
Splunk can deliver more information by going deeper. By creating a dashboard, we can identify the root cause of the threat. Let's say I have a firewall from Check Point. Splunk will find the dashboard for Check Point, implement it in our environment, and connect it to the Check Point firewall logs, which are shown on the dashboard. If we request a custom dashboard, the engineer will take longer to complete the task.
I can create a custom dashboard for the firewall, antivirus, or endpoint protection. This will take time to complete because they need to understand the log type and mitigation of the process from the system or API.
Splunk helps us manage our hybrid environment, including our email system. The main email system is Microsoft Exchange, which is deployed on-premise, and the second is Office 365. There isn't much security for the hybrid environment. We get logs from the web application firewall, the firewall, and the anti-spam solution.
BM
Blas M.
Information Security Architect at UMMS
The incident review in Splunk Enterprise Security seems to be the most helpful feature.
I appreciate how Splunk Enterprise Security connects users to the research team and threat documentation, providing access to current events impacting other clients, security vulnerabilities, and relevant use cases. The platform's daily updates offer valuable insights for enhancing our security posture.
Splunk Enterprise Security allows us to create custom dashboards by changing fonts and modifying widgets. Those familiar with XML coding can further personalize dashboards to align with frameworks such as MITRE. Alternatively, we have the option to use the pre-built dashboards.
View full review »MA
Mohamed-Atta
System Administrator at Galaxy Chemicals Egypt
The most valuable features of Splunk Enterprise Security are reporting capabilities. It is a good tool for checking systems and analyzing situations. I find it useful to check my systems and analyze situations.
View full review »KN
KN123456789
Principal Cyber Security Engineer at a financial services firm with 5,001-10,000 employees
The most valuable feature of the solution is the correlation searches. The one-stop shop shows me all my insights, and alerts, and can send alerts to my analysts.
I would say it is fairly important for my organization that Splunk Enterprise Security provides end-to-end visibility in our environment. At the same time, my company has other products that cover the observability piece. From a security perspective, we use data outside of our security data to piece together the whole picture. I think our company's perspective is that no matter how we get the whole picture, we will do it, even if it is from outside Splunk Enterprise Security. I think Splunk Enterprise Security plays a major role in this.
In terms of Splunk Enterprise Security for helping our company find any security event across multi-cloud, on-premises, or hybrid environments, I would say that it is great once you get past the learning curve. The learning curve is higher than normal.
I think Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data in a great manner. Splunk is a great product and provides these features, but not so much when it comes to identifying and solving problems in real-time because there are always data delays. There is always onboarding, mapping, creation of correlation search, and then enabling Splunk ESCU part. It works in a general sense and not on a real-time basis.
In terms of whether Splunk Enterprise Security has helped reduce alert volume, I would say that it is the only active SIEM tool my company is currently utilizing. Reducing alert volumes involves tuning up certain areas of the engineering team. If I look at the product alone, I would say it can help reduce alert volume. If I consider the learning curve, I would say that you have to learn how to tune it the right way with the help of professional services or experts. You need to utilize your resources, which I think is the best way to do it.
Splunk Enterprise Security provides our company with relevant context to help guide our investigations since the correlation searches with the enriched data do help gain insights on all of our investigations. At the current point, we are still trying to get past the tool's learning curve so that all of our analysts and everyone on the security team can utilize the tool the best way they can. The more they learn, the better it gets, so currently, we are doing our best.
Splunk Enterprise Security helped reduce the meantime needed to resolve our issues because we have all our data in a centralized location and mapped to a data model. As long as we know what detection and data we are looking at, we can go to our data model and figure out where the issue lies.
Splunk Enterprise Security's ability to help improve our organization's business resilience revolves more around observability. Our company recently migrated to Splunk Cloud, and I think we have more hands-on experience with the ingestion side than ever before. I think it is a lot easier for us since we moved to Splunk Cloud as we don't have to focus on maintaining the infrastructure so much, and we can focus more on the data. I think this is outside of Splunk Enterprise Security's scope and falls under Splunk Cloud's capacity.
Speaking about Splunk's unified platform helping consolidate networking, security, and IT observability tools, I would say that my company is not there yet.
View full review »It has so many features. The incident review pane is the best part of it because that is where the SOC lives. It is the heartbeat of what the SOC needs to do. You are able to start the investigative process. As you are sitting in the incident review pane, you see the alert, and from that one alert, which is called a notable alert, you can drill in and see all the different specific details that are tied to that. You then have adaptive response action that can be taken automatically on that, or you can even drill in to look at what events drove that alert to be created. You can then start doing more hunting and querying that way. There is so much information contained in the notable alert itself in that panel. It helps to drive the direction of where the engineer should go.
View full review »Being able to aggregate detection and alerts from various sources is valuable. Like everyone else, we have a wide range of tools in our shop. We are able to stop at one spot and look at all the data. All the data is able to come through, and we can then jump from source to source or index to index. We can dig deep whenever we need to and get a good high-level understanding.
View full review »MA
Mustafa Ameen
Resident Consultant (Security Analyst) at helpag
I find it beneficial that Splunk Enterprise Security easily integrates with other tools. Due to its excellent API capabilities, it facilitates connections with various cybersecurity tools. We utilize different controls, such as Anomaly and Threat Intelligence, and also integrate it with Data Diode, which assists in one-way communication for infrastructure. Splunk Enterprise Security can seamlessly receive logs from various infrastructures, including Data Diode and firewalls.
We utilize Threat Topology and MITRE ATT&CK features, as these aspects fall under the MITRE ATT&CK framework. They provide coverage for continuous user activities and password issues. The MITRE ATT&CK framework is beneficial for detection and outbound traffic, and it offers a good number of default use cases that we have implemented in our environment.
View full review »The most valuable features in Splunk Enterprise Security are the cluster capabilities.
The search engine and indexes are fast and optimized, and the report generation dashboard is user-friendly.
View full review »I like the ease of setting up dashboards on Splunk. They're easy to create, manage, alter, and share. You can fine-tune them any way you see fit. One of Splunk's unique features is that you can customize it for your needs, especially if you've got homegrown solutions. It accepts whatever kind of logs and can be normalized at any point. With a one-off solution, you can work with the developer who created it, and they give you the features or key information you want to keep.
View full review »The end-to-end visibility into our environment that Splunk provides is impressive. We just need to use it better.
We are a small team. For us to look at all those logs ourselves would be difficult. There is some decent insight into what's going on. It's just a matter of actually utilizing that data and taking action on it.
We would probably see more time savings if we used Splunk more.
We're an on-prem network. During the installation, we found several issues that we should look into. We just need to utilize more.
Splunk has shown us some gaps where we need to ingest and normalize data, and we have built those gaps.
Splunk Enterprise Security provides us with context to help guide our investigation. It's a starting point to actually look at the logs and figure out what we need to look into. It's useful.
It helped to consolidate networking security and IT observability tools. We use Splunk in general a lot for operations, and then we've been able to build dashboards.
View full review »The solution's most valuable feature is the aggregation of all the logs in one place, using enterprise securities built-in or ESCU use cases to find them.
The end-to-end visibility Splunk Enterprise Security provides in our environment is very important because we might not see everything or miss something without it.
Once you have it set up correctly, Splunk Enterprise Security works great for helping us find any security event across multi-cloud, on-premises, or hybrid environments.
Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. The ability to identify and solve problems in real-time is pretty robust.
Splunk Enterprise Security has helped reduce our alert volume with RBA and has helped reduce our mean time to resolve. With correlation searches in risk-based alerting, you don't have to sift through information; it is presented to you.
View full review »It is lovely to have everything we need in one tool. Everything is quite centralized.
Some of the tool's best features are RBA and UBA. I also like the tool's single point-of-view dashboard for incident response. The case management area is one of its good features.
The tool has reduced the mean time needed to resolve. The reason is that the dashboard offers a single point of view, especially in areas where people aren't spread out. Our company is getting all the relevant data in there, and we are able to identify the problem instead of having to go to multiple tools or different interfaces.
It is very important for our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. It is our company's way of understanding what is going on in our environment, and then it is our way of handling security events, relevant events, mitigating risk, understanding risk, quantifying risk, producing metrics, and everything else.
Splunk Enterprise Security provides our company with the relevant context to help guide our investigations. The tool has allowed us to gain better visibility and accuracy into security events.
The tool has helped our company improve the resiliency of our security operations. This is based on the fact that we don't have full adoption of the tool for all users in our organization, especially not Splunk Enterprise Security.
My company uses the tool for security operations, and we have built our security operations around Splunk based on what it can do and its performance.
Splunk's machine learning toolkit helps us predict things like CPU and memory usage. The user interface is excellent, and since I'm using Splunk as a power user, it's easy to create dashboards. Splunk helps monitor multiple cloud environments. We have OpenShift. All of our VMs and servers are present in the cloud.
Splunk has an excellent threat intel feed, so we can get the latest IOCs. The threat intel service enhances the threat detection capabilities because the solution is purely based on threat intel. They gather each threat intel from the dark web and the other areas of the internet. Once the integration is done, it's much more helpful than the traditional Splunk features, which may yield limited visibility. Splunk isn't purely a threat intelligence solution, but it may not have feeds at that frequency.
The threat detection capabilities are excellent, but it depends a lot on the configuration. If we can't configure the indicators of compromise correctly, then it becomes difficult for Splunk to evaluate a threat. For example, let's say a user is accelerating some data through the email gateway, and the gateway isn't being monitored. Splunk can't do anything about that because it requires a gateway monitoring system to be installed. Splunk is only aggregating the events coming in, and it cannot find the exact DLP agent. The DLP logs need to be forwarded to this Splunk connector.
View full review »Recently, Splunk upgraded to version 9.0.02, which includes excellent data dashboards and visualization effects. This upgrade makes it easier for me to implement all the dashboards. I have created a dashboard that showcases all the VPN monthly data in one place, which is a beneficial feature of the new visualization effects.
View full review »We put all of our logs and data into Splunk, like network switches, firewalls, and web-based protection. In general, every component within the infrastructure sends data to Splunk.
Then, we have an engineering team transforming, manipulating, and analyzing the data to create a front-end dashboard in a meaningful way.
View full review »The most valuable feature of the solution is correlation searches, which allow you to easily find threats and other such areas.
It is really important that Splunk Enterprise Security provides end-to-end visibility into our company's environment, as it can help save time and make the response faster.
Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data with the use of data models and Splunk CIM.
The tool has helped reduce our company's alert volume as the identification process is fast.
Splunk Enterprise Security provides our company with relevant context to help guide our investigations. Any incident can be resolved in a minimal amount of time than expected, and we can get more information about such incidents. It can be resolved mostly on the same day and even in a few hours.
Splunk Enterprise Security helped reduce mean-time resolve. It has also helped improve our organization's business resilience. Considering the tool's ability to predict, identify, and solve problems in real-time, I would say that it keeps our company safe.
Splunk's unified platform helps consolidate networking, security, and IT observability tools. I cannot provide too many details because I am not working directly on the analytics part.
The most valuable feature is the ability to look at threats and link them to the MITRE ATT&CK framework. This helps our staff identify threats within our environment and appropriately landscape them.
Splunk Enterprise Security provides us with relevant context to help guide our investigations.
At a high level, we can see threat details and then drill down further. It maps to important frameworks, like MITRE ATT&CK, to help us fully understand the origin of threats and where we need to go next to go in our investigative process.
It integrates with other platforms like Attack Analyzer and SOAR, and soon, AI integrations. These will further help us reduce the threat landscape.
SP
Sharan Paniya
SOC Analyst at Topcon Omni Systems, Inc.
The most valuable features include the incident review and Dashboard Studio. My job involves building dashboards, so it's easy to visualize and explain the environment using Dashboard Studio.
Incident review with my SOC job helps me check all the incidents and alerts coming in.
View full review »Splunk Enterprise Security stands out for its ability to integrate with existing security tools, provide informative dashboards, and offer IT Service Assurance functionality that goes beyond basic threat detection to include service performance monitoring.
View full review »One of the features I appreciate most is privileged account threat detection. It identifies suspicious activity associated with fraudulent accounts detected on the endpoints of target systems.
Furthermore, the platform offers threat analysis and reporting that leverages Splunk data. This allows for the detection of irregular user access from machines directly. This functionality is crucial in large PAM environments with thousands of users, as it identifies inactive accounts.
For scenarios where users might not access the PAM portal to change passwords, different policies are implemented. Splunk plays a key role in detecting irregular user activity. By establishing a three-month threshold, we can identify cases where users haven't used their accounts despite not being on leave or vacation. Such instances warrant investigation to determine the continued need for privileged access.
We can automatically suspend or terminate suspicious sessions. We have also customized reporting within Splunk.
View full review »As an analyst, I've observed that Splunk offers a variety of rule sets, along with built-in and customizable use cases. We have the flexibility to create dashboards and expand reports for management visibility. One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities. With Splunk, we can seamlessly integrate and coordinate data from various sources, enhancing our analytical capabilities.
View full review »I like that it's a review panel, you can see all of your alerts. Another valuable feature is that it integrates with other apps like UBA and SOAR.
I also like the guided alert creation. The guided alert creation is useful, especially for new people who don't know CPL.
It's a premium app, it's easy to use and intuitive.
Enterprise Security has one pane of glass for all of our alerts. We still use the Enterprise Security page where we keep track of everything.
It's very important to us that Splunk offers end-to-end visibility into our environment. It has the ability to identify any security events or if data is reingested, we'll get an alert for that. End-to-end visibility is very important for a mature security program.
Splunk helped to ingest and normalize data. Anytime that we put data in, we always normalize the SIEM model. ES runs off of that so it helps us to dot our I's and cross our T's. It helps us to use our data effectively.
It has tools to reduce our alert volume. We get a lot of alerts. It's more of a tuning thing than anything that the app can help with.
It provides us with the relevant context to help guide our investigations. It's really useful in that aspect.
It hasn't reduced our MTTR. SOAR would do that. It has helped our mean time to detect.
It has increased our business resilience. It's a top-of-the-line SIEM security product. It's the best tool for our security analysts which helps them do their job better. That then protects our company from adversary actors.
View full review »We use Splunk Enterprise Security to serve our clients. Our clients from the financial and health sectors deploy the solution in their environment for cloud visibility. Our clients use the solution to find any threats or vulnerabilities inside their environment. We use the solution to get use cases, reports, dashboards, or visibility onto their environment. We use the solution to detect any attack or malicious intent of users inside the environment. We try to create use cases specific to their environment through Splunk Enterprise Security.
View full review »Splunk Enterprise Security gives us a single pane of glass so that we can use just one tool instead of having to use different solutions.
It is pretty important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment, and it gets more important every year.
Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.
It has helped us reduce our alert volume.
Splunk's unified platform helps consolidate networking, security, and IT observability tools. It gives us a single pane of glass, so instead of having to go to different tools, we just go to one tool.
It is deployed as an app on its own server.
View full review »Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools.
We can easily identify the number of security devices and users that are authenticated on the network and present the information to the executive team.
MR
Mark Roeder
Manager, Security Engineering at a computer software company with 1,001-5,000 employees
The feature that we use the most is the correlation search engine within ES. That is the one we use. Absolutely the most. There are a lot of other features in there, however, that's the one we use.
Our organization does monitor multiple cloud environments. It's not "easy" per se. I'm a Splunk-certified architect. I've got 30 years of experience. If you've got 30 years of experience and you're a Splunk-certified architect, it's easy. If you haven't, you've got no chance.
Splunk Enterprise Security's visibility into multiple environments, for example, cloud, on-prem, and hybrid is good. Splunk doesn't care. It's as easy on-prem as it is on the cloud, as it is hybrid. I've built up all three individually and separately depending on the environment.
The insider threat detection capabilities for helping our organization find unknown threats and anonymous user behavior are okay. It can do it, however, it is not out of the box a UEBA. It doesn't pretend to be. Splunk has a separate product for that which is not the enterprise security suite. That said, if you enable the access domain correctly within ES, it gives you really good insight into what your Insight users are doing. That's what the access domain is. However, it doesn't have the advanced features that you would expect from your UEBA product as it is not one.
We use the threat intelligence management feature. My impressions of the actionable intelligence provided by the threat intelligence management feature are mixed. We import anomaly threat intel into the Splunk ecosystem to do that. We use the framework that Splunk provides, and we supplement it with the threat intel from a third party, and that works really well.
We use the MITRE ATT&CK Framework. We’ve mapped all of our detections around that Miter framework. There's there's four frameworks built in, and we chose Miter. It just makes more sense. You only pick one. There’s no sense in picking more than one.
It’s helpful to uncover the overall scope of an incident. If you've done the work to map your MITRE ATT&CK Framework into the product, then you have a hit against a MITRE ATT&CK technique. Then at least you know where it is in the MITRE ATT&CK framework so that you can describe it as a common frame of reference with a third party. However, it doesn't necessarily give you an idea of the scope. It requires more effort. That said, it's certainly a really good starting guide as to where you are.
Splunk Enterprise Security is okay for analyzing malicious activities and detecting breaches. It's only as good as the operators that use it. Out of the box, it doesn't do anything. You have to put the work in to make it do that. I can't begin to say how useful it is when it's first configured. You need to spend a lot of time working on your environment to make it do that.
It helped us detect threats faster. Without it, you can't check anything. It's too complicated.
The solution has helped us speed up our security investigations. Without it, you don't have investigations. Also, with the alerting itself, Splunk becomes best of breed.
View full review »The Splunk incident response dashboard is pretty useful because it helps first responders triage incidents and properly escalate when necessary.
We find Splunk very useful on the enterprise level to detect and prevent security threats.
Splunk Enterprise Security has definitely helped improve our organization's ability to ingest and normalize data. We have many log sources and over ninety thousand staff. We have endpoints, servers, Syslog Data, and BYOT data. Splunk has been instrumental in maturing the security posture of the organization.
Splunk does a pretty good job at identifying threats in real-time.
It provides us with the relevant context to help guide our investigations. During onboarding, once the log sources are properly onboarded based on Splunk's recommendation for SIEM compliance, we found real value in being able to aggregate different types of data and load them properly so that we can then pass on and access them very easily.
It has improved my organization's business resilience. We've been able to mature our security program and posture over the years.
The ability to see everything from a single tool is very helpful. From the context of communication with our executives, being able to show them a unified dashboard to see the security posture has been very useful. For example, our executives can see the security posture or position of all of the branches of the bank from a single dashboard. Dashboards like that give them peace of mind to have that kind of visibility to know the state of things. Splunk is very instrumental in that.
View full review »Splunk lets us integrate multiple third-party threat intelligence feeds. We can also customize the data models for correlation more than we could with competing SIEM solutions. We can filter out the noise and see our alerts.
I created some security reports or dashboards. We also have dashboards for user requests related to our firewalls, like Palo Alto and traffic or activity alerts. We can also see where we're getting a lot of authentication failures, etc. We've also created some other custom use cases, like using VPN logs and use cases for analyzing the national origins of repetitive malware. We have integrated some other solutions like Carbon Black EDR or MDR as well as Vectra, which is fully automated with AI. They have their own signatures.
We get decent visibility with Splunk and integration with data visualization tools like Grafana. We also have various threat intelligence feeds that are updated regularly with the latest IOCs and signatures, which we can use for threat hunting.
View full review »HK
Harsh Kashiparekh
CEO at Securis360 inc.
I like that the tool is light and the agent doesn't slow down the machine. Splunk Enterprise Security is a standard solution providing good customer service and partnership.
The correlation searches are most valuable just because we are able to do things like RBA. One of the things that we started pretty recently is our insider threat program, and it has been pretty good, especially using RBAs as our framework for the insider threat.
View full review »The dashboards let us dig deep into our actual system. Our system is spread throughout Alaska with about 70 sites, each with all kinds of equipment. Splunk Enterprise Security helps us mine through that data and look for security events.
View full review »Splunk Enterprise Security is a valuable tool that allows us to monitor data from the APS daily. This monitoring focuses on the success or failure of APS calls. Successful calls are identified by a status code of 200, while unsuccessful calls are indicated by a status code of 400 or any other code. By monitoring these codes, we can proactively identify situations where the intended data retrieval fails due to backend server issues. This distinction is important because it helps us differentiate between failures caused by backend server problems and those resulting from issues with the monitoring team's ability to send requests. This clear separation allows a dedicated team to investigate these specific backend server failures and implement resolutions.
View full review »Splunk Enterprise Security offers valuable features like seamless integration and a SQL-standard Structured Query Language for easy searching. Additionally, implementing devices is straightforward, similar to a plug-and-play process.
View full review »The most valuable features are its ability to transact in the cloud and its ability to onboard data easily with minimal connectors. Some of the new players in the market need to build new connectors to bring data into the SIEM solution. With Splunk Enterprise Security, you get built-in connectors, as it is a major platform.
Splunk's visualizations make it easy for users to understand the data. Additionally, Splunk can ingest all our data, creating a centralized and informative platform. This combination is a powerful asset for data analysis.
View full review »The fast search is valuable. As compared to other SIEMs, Splunk is very fast in terms of the search and providing data.
The customization of the use cases is another valuable feature. It is query-based, and now, there is a feature to have machine learning as well. We can write advanced-level use cases, which is a limitation of other SIEMs.
The third point is the device integration. It is very smooth. If I need to integrate devices for logs, it is easier with Splunk. We can integrate different applications, network devices, and databases. It is also very rich in documents. It is the best.
View full review »Incident review is pretty valuable. You can have everything in one place, review it, and assign things to analysts, and they can work on it.
We also have different teams segmented; it is not one team. So, we brought that using the teams method in Enterprise Security, which I think most people are not using. This way, different users have different dashboards or lists of incidents.
View full review »The most valuable feature of Splunk Enterprise Security is the threat intelligence integration because essentially having to go out and correlate all the data on our own becomes convoluted. We don't have the resources, so having that included in the product makes it easier for us.
View full review »Splunk's strength lies in its single-page view. This interface allows us to explore all our data, build dashboards with alerts, and visualize real-time information through various charts like column, bar, and pie formats, providing a full user experience.
View full review »The security part is useful as it helps secure the entire environment. I designed the security aspect of it for a lot of applications in my company. It's the security thread within the application that we build. I'm able to use Splunk to secure the applications.
We use the solution to monitor multiple cloud environments. We can monitor even on Amazon products. It's a good source for monitoring all types of applications.
I can manage and correlate different kinds of searches within my environment. It's good for performance monitoring as well. I can do auditing and reporting through Enterprise Security.
The solution gives us visibility into multiple types of environments. There's a good level of cost optimization as well. It's good for end detection and prevention. I can identify anomalies and get a data view of fraudulent activities. You can uncover the source type and the IP address from where things originate.
Splunk gives us the capability to handle insider threat detection. I'm able to create my own dashboard that will visualize the information. It does depend on how you handle the configuration and permissions.
We do use the MITRE ATT&CK framework. It helps us discover the scope of the incidents. It helps us to target incidents immediately. We're able to quickly resolve it and stop it. We get data visibility to see what's coming in, which helps us act fast.
We can work with data from any source as long as you configure it correctly.
The solution has helped us to reduce our alert volume. You can tune your alert thresholds. You can also create rules to define your alerts. It gives you the capacity to optimize queries as well.
View full review »SC
Shay Chouker
CSO at a manufacturing company with 1,001-5,000 employees
The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.
View full review »JP
Joshua Porto
Splunk engineer at MindPoint Group, LLC
The risk-based alerting is excellent. It was most helpful in decreasing the amount of false positives that help bubble up the most problematic users and assets for the analysts, and it's fairly easy to implement.
Splunk Enterprise Security provides end-to-end visibility into our environment. It's a ten out of ten for that capability. Everyone wants to know what's happening across their environment. The more difficult part is defining the visibility, as we can't we can't ingest the entire company into Splunk. So, the harder part is not necessarily gaining visibility. It's rather determining what visibility looks like. Oftentimes, it comes down to determining and prioritizing using the highest value.
Splunk Enterprise Security, when set up properly, helps us find any security events across multi-cloud, on-premises, or hybrid environments. It helps with investigations and helps us find that needle in a haystack.
While it doesn't necessarily help with data normalization, some pieces determine whether the data is usable and create that usability outside of enterprise security. It does assist in the process.
Splunk Enterprise Security provides us with relevant context to help guide our investigations. The context helps with risk-based learning, which is one of the things I rely on fairly heavily. It also helps reduce false positives and increases visibility to the most problematic endpoints and end users.
The Splunk Enterprise Security Hub has reduced our mean time to resolve; however, how much is hard to quantify. The dashboard is color-coded, and it's easy to read for the analysts. I don't often have to explain anything to them. Red is bad, green is good. The dashboards are relatively self-explanatory and it helps reveal the most difficult, problematic parts.
The solution does help with resilience - a bit. What it does is help us discover problems and reactively fix them.
View full review »It is user-friendly. It is more effective than other solutions. The support and help for troubleshooting and the documentation from Splunk make it very effective.
It has multiple features. It has data integration, search, reporting, and alerting.
It does not need any advanced programming. It only requires basic programming.
View full review »Splunk's interface is user-friendly, and it has apps and add-ons for most applications. We can easily normalize the data to make it readable and understand the logs. We easily get all the field extractions and enrichment done by using the apps and add-ons. This helps us understand the application logs because the raw data is useless unless we extract some useful information from it. These add-ons make it so much easier.
Dashboards are useful when we present things to management. They want the numbers and the results. The leaders aren't interested in what we are working on. We need some visualization for our presentations. Splunk has beautiful and useful visualization and dashboard alerts. We can easily create visualizations using the available options and create different types of charts, reports, and graphs that are easy for management to understand. We can also provide our leaders direct access to the dashboards, so they don't need to reach out to our team to get this data or we can automatically send them the reports via email.
Splunk has several useful features, like asset and identity management. If we integrate our asset and identity management properly in this log, it's effortless to identify the user, device, or asset. We can get all the details if we integrate those things into the lookup engine.
The ability to manage large amounts of generated data and to protect all devices from unauthorized use are the most valuable features.
View full review »The best part of Splunk Enterprise Security is its customizable settings. We can modify the front-end interface, data sources, and various other aspects to suit our specific needs. This flexibility makes it extremely user-friendly and convenient.
Apart from its customizable settings, Splunk Enterprise Security also offers a range of other advantages. It enables us to easily analyze logs, use field queries, and perform other tasks without requiring any extensive training. The search function is intuitive and straightforward, making it accessible to anyone.
The UI-based reporting dashboard is another highlight of Splunk Enterprise Security. It provides real-time visibility into important metrics and allows us to drill down into specific events for in-depth analysis.
Splunk has a wide range of features that customers use to find and analyze all kinds of logs. For example, they can use SQL queries to identify vulnerabilities. Additionally, they can create dashboards to visualize and filter their data, and to create real-time alerts when thresholds are exceeded. Splunk Vision is a popular tool for data modeling and visualization and is used worldwide.
View full review »JG
Jesse Gan
IT Director at Administrative Office U.S. Courts
I am not into the administrator type of setup. I am more like an advanced user. The most useful feature for me is the ability to create different kinds of alerts and set a different kind of denominator that will capture the real event. That is helpful for a power user like me.
View full review »Splunk Enterprise Security's value lies in its ability to collect and analyze security logs, providing insightful dashboards.
View full review »Being able to ingest data from all the tools and all the apps being used in the environment is valuable. Being able to create alerts when, for example, the CPU usage reaches 95% is also valuable. We can set up alerts and proactively fix the issues. Splunk helps with all these things, and Splunk Enterprise Security has almost 2,000 use cases. It follows MITRE ATT&CK and Cyber Kill Chain frameworks. There are certain notable events for which we can configure our security posture. We can onboard all the logs through indexes and create dashboards to view what is going on in the environment.
View full review »LB
Laurens Binken
General Manager, Information Risk Management Strategy & Transformation at a energy/utilities company with 10,001+ employees
The solution's most valuable feature is that it helps with our use cases to detect anomalies in our data and it is important to my company since we have a lot of data on different logs on the systems. We need to be able to create insights that are indicative of malicious activities, which is one of the main purposes of having Splunk Enterprise Security in our company.
Splunk Enterprise Security's dashboards are a key asset. They offer comprehensive visibility across our entire environment, allowing us to diagnose and address security issues directly from the interface.
View full review »Splunk stands out for its extensive application integrations. It boasts a user-friendly interface with intuitive features that are easy to understand and navigate for technical users. This accessibility is a major reason why I find Splunk so appealing.
View full review »RK
RajKumar25
Splunk Enginer at UnitedHealth Group
I like Splunk's Notable Events. We have created several dashboards for our customers, where you can see the activity and number of alerts. The database receives data about the mask and domain IPs of any user trying to gain access. We ingest logs from multiple antivirus products and firewalls and analyze them to prevent attacks and threat activities.
ST
Surya Teja
Information Security Analyst at Apcfss
Splunk covers our cloud and on-prem environments. We were exclusively on-prem, but we are slowly moving into the cloud. Our developers can customize investigations by adding multiple interesting fields and aggregate those details in Enterprise Security by using the appropriate SQL queries.
We use Splunk's threat intelligence management feature, which provides insight into how business decisions can make an organization vulnerable to cyber attacks. All of these things fall under tactical threat intelligence. For example, it can tell us if someone is accessing our organization's API.
We have integrated all our tools so that we can monitor any alert type, but we use Splunk primarily for investigations. We're ingesting audit, security, application, and Windows logs. Once we get an alert, we go to the tool and investigate further
Splunk uses the MITRE ATT&CK framework, giving us new tactics and techniques based on issues observed in other businesses and industries and helping us to address novel threats to our network. MITRE ATT&CK is highly useful.
View full review »The consolidated overview of all the events that come in through our environment and an easy-to-access interface for all our end users are valuable. As we get more people onboard, it is important that they are able to easily jump onto the platform and understand what they need to see in our environment. Having that quick operational capability allows us to get our observability up to speed as fast as possible.
View full review »SY
Serkan Yalçiner
Senior Observability and System Consultant at a tech services company with 11-50 employees
Splunk Enterprise Security’s most valuable features include its powerful log aggregation from diverse platforms, flexible search and correlation capabilities, and customizable alerting system. It allows me to collect logs from virtually any source—servers, firewalls, cloud services—and create custom rules to generate meaningful alerts. The flexibility of Splunk’s Search Processing Language (SPL) makes it easy to build tailored dashboards, identify threats, and quickly pinpoint the root cause of issues, significantly improving operational efficiency and threat detection accuracy.
View full review »The solution's most valuable feature is risk-based alerting, focusing on building out user risks for individuals throughout the enterprise.
It is important to our organization's security that Splunk Enterprise Security provides end-to-end visibility into our environment.
Splunk Enterprise Security's ability to find any security event across multi-cloud, on-premises, or hybrid environments is good. It's more about how you configure it and how well your company is equipped to provide and allocate resources to make the best use of the tool.
It has helped reduce our mean time to resolve.
View full review »AK
Akash Kumar Meher
Sr. Security Engineer at a sports company with 501-1,000 employees
I like Splunk's automated threat detection and orchestration capabilities. Splunk offers a single solution for analyzing, aggregating, correlating, monitoring, reporting, visualizing, etc. You can get all of these capabilities in one place. On top of that, it provides a cloud, testing, on-premise, and hybrid solution, giving customers more flexibility for their use cases.
Splunk's real-time monitoring is one of its best features. The user interface gives you a single dashboard to directly view all the high-level information. The security incident monitoring and investigation page is also very helpful. You can document an investigation step by step. Many investigators can work on a single incident also based on their shifts. Everyone can add notes on the investigation page.
The incident response features are based on real-time data. The monitoring team can immediately take over an incident and prioritize tasks based on risk scores. We can assign multiple technicians to one security incident based on their skill, improving resolution time. The incident review dashboard provides many useful details, like the indicators of compromise and risk scores.
We can get threat intelligence from multiple platforms, including the latest known IOCs, to support our response to security incidents. We store the threat data from various sources in a centralized place, and it updates every six to 12 hours.
The MITRE ATT&CK framework feature is helpful for understanding which phase an incident is in and what the next steps are so a technician can prevent it from progressing. It gives us a detailed overview of other tactics it might be associated with, enabling us to stay vigilant. We can correlate with other simultaneous or sequential incidents and take action to strengthen our security based on these incidents.
View full review »It's easy to monitor multiple environments with Splunk. The cloud model is better than the previous on-premises version. The custom dashboards are helpful. We have created multiple dashboards for user activity, logins, phishing, etc. If you miss an alert, you can check the dashboards. For example, if you need to check some user activity, we have a dashboard for Azure Active Directory, and Mimecast is integrated for monitoring email-based attacks like phishing. It throws the information up on the dashboard when we get an alert.
View full review »DB
Donatas-Bukelis
Project Manager at Hilti
The most valuable features are the logs, which allow us to identify what happened and who interacted with the web repository.
View full review »MA
MS Alam.
System Administrator at Nournet communications
The most valuable feature of Splunk Enterprise Security is the comprehensive logging capabilities it provides.
AD
Alexandre D
Defense protection study manager at Ministère de la Défense
I like the search feature and the indexing. It's very fast and comprehensive. It's easily tuned by your service provider, so I can quickly find the results I'm seeking. So it's very practical. We are working with the search feature and using multiple indexes that combine devices from different environments, so it's easy to collect information across environments.
We can relatively quickly detect some malicious activities based on attack patterns and implement use cases configured by our service provider with help from Splunk. It improves the speed of threat mitigation because you can gather information about the attack patterns from a few days of online activity to block threats and take the necessary actions.
View full review »OO
Oluwaseun Oke
Owner at Py Concepts
It gives me notifications of notable events.
The default dashboard is very good. We can see our security posture from there.
On-prem and cloud data analysis are good. You can aggregate it if you need to in order to get good data.
Splunk has proven to be great when tracking down anomalous behavior. The logs are excellent. It is the platform in the industry. You can integrate anything. The amount of information and usability you get out of Splunk is very good.
We do use the Threat Intelligence Manager. It can be integrated with third parties. The actionable intelligence we get is useful. There is sequencing where you can gauge some actionable steps.
I use the MITRE ATT&CK framework when I am developing a new use case. It helps us discover the overall scope of an incident. Using Splunk is essential in developing that.
It's good for analyzing malicious activities and detecting breaches. I'd rate it highly in its capabilities. However, if you don't have the knowledge, it may be difficult. You might get a lot of false positives.
It's helped us detect threats very fast, in almost real time.
We have reduced our alert volume. I'm not sure of the exact number, however, instead of having 100 to 200 false positives, we might get 20 to 30.
It has helped us speed up our security investigation, although I don't handle it directly. I simply do triage, and it definitely helps there.
View full review »SK
Senthil Kandhasamy
Solution Engineer at Sennovate Inc
Splunk is user-friendly. We can easily customize the monitoring script. We support a multi-cloud environment covering Windows Server, AWS, and Google Cloud. We also use ForgeRock to monitor Linux machines. It sends us alerts when the disk size gets full. When an employee logs in from a different region, it triggers an alert.
The most valuable feature is that it brings all of the components necessary to identify, analyze, and respond together.
It's pretty important that Splunk provides end-to-end visibility into your environment. As in any product that one purchases to fulfill a function, we want to recognize where it came in, who it affected, and what the challenges are that need to be met in order to resolve something, both immediately and also to make sure that it doesn't replicate in the future. Splunk does a good job of being able to do the former half. Dealing with issues requires tier-three support and above and it takes time. You can work through it with the help of your vendor team.
I would rate them an eight out of ten. It's not so much the problem of the application itself, although there are always improvements that can be done. There are a lot of moving parts that need to be added in and if you don't have the information that you need, especially within identity and inventory, then that can be an added challenge when you have to start making imprints based on what you do know.
Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There are a number of different standards that can be presented, which is beneficial. Some customers like to have the information that they receive in one format. The driving factor is that when you work with federal customers, some of them want it in one format. The response will be in one format as opposed to another.
Splunk has helped to improve my company's business resilience. It's an active component in ensuring that we are vigilant against intrusion and detecting it.
Identity management is the most valuable feature.
Its ability to find any security event across any environment is useful if you use the risk parameter. If it can correlate with an identity or an asset, then correlations between such events are up to the analyst.
Splunk Enterprise Security helped improve our organization’s ability to ingest and normalize data.
Splunk helped to reduce our alert volume by 53%. We work based on an on-call process. The analyst who is on call can use Enterprise Security to see what alerts they have and work from there.
If you load it correctly, Splunk will provide us with the relevant context to help guide our investigations. It made it easier.
Splunk Enterprise Security helped improve our organization's business resilience.
In terms of its ability to create, identify, and solve problems in real-time, if the problem arises, we can go and look at Splunk, but if it's happening in real time and no one reports the issue, then it doesn't work in real time.
It helps consolidate networking, security, and IT observability tools but it doesn't have such a big impact on our company.
View full review »One of the most popular features that I personally like is that in the case of an event, I should be able to run a desired action for that on a threshold, but that is not how we are using it right now, unfortunately. We have a pretty manual process. We have an operating procedure, and we follow that. I would like to see it automated. I do not want analysts to decide whether the action needs to be done or not. It should be done provided the policy says so. If the policy says it needs to be done, it should be an automatic process rather than a manual process.
View full review »The solution's newly developed dashboard is pretty amazing. The full platform is quite useful, and there are a lot of tools that we can use to leverage and modify for our own purposes. Clients don't necessarily know about it, but the tool is powerful because it saves so much time.
View full review »The most valuable features of Splunk Enterprise Security are its high-performance data collection, flexible query language, and its versatility across the organization. The unique query language, once mastered, provides flexibility, and the tool extends beyond just security, benefiting network and development teams. This versatility and speed in searching and trend identification enable quick defense for my clients. For me, it is about fast detection, rapid response, and easy access to crucial data.
Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security. Internal ticketing is helpful because we can bring in all the data and have it all available. That way, we can go back and take a look at it if we find another situation. We do not have to utilize other ticketing systems for cybersecurity.
View full review »Application-wise, it's good. Searching and reporting of data analytics is also fine. The dashboard presentations are also a good feature. Overall, its functionality is great and that's why we use it.
View full review »Risk-based reporting and anomaly detection are valuable features.
The biggest advantage is the reduced time to resolution. Before, it took us up to days to resolve issues, and with Splunk, we've been able to move that down to hours or even minutes in some cases.
View full review »JC
Jacob Clark
Focused ops analyst at Navy Federal Credit Union
I very much enjoy Splunk's robust search nature, which enables me to find the data I want within the data I have. It's helpful for doing an investigation, whether that's an incident response or threat hunting.
It is important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That way, we can see where the data is throughout the entire process, depending on where we are in the incident.
Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.
Splunk Enterprise Security has, by far, the best search capabilities. It ties that into alerts and notables, allowing you to refine what you want to see in your data.
The most valuable feature of Splunk Enterprise Security is website activity monitoring.
View full review »With this product, you can go for an in-depth search or just perform a surface-level search. There are different modes in which you can perform searches, and that basically defines the speed of how fast you can get the data. If you are going for a more detailed version offered, it'll take a bit of time. However, they'll give you more and more data. There's also a fast mode in it.
The data which you can pull, you can basically visualize it, you can normalize the data, evaluate it, and convert the data into tables. It's much easier to pull the data, organize it, and normalize it as you are performing the searches. That's quite helpful.
I prefer working with cloud infrastructure like this as you can increase the storage capacity or the license at any time and search for a number of different endpoints. If you want to ingest more and more data, having something like Splunk available on the cloud is preferable.
I take advantage of the incident response part of the solution. If anything happens at the endpoint, if anything happens at the user system, servers, or something like that, my role is to look into the logs, go through other investigations, perform a time scan, and create a timeline of all the events. This helps do that job.
I'm also aware they have a Mission Control. I have actually attended a few surveys on that, however, I haven't really implemented it due to the fact that we are in the middle of a few of the projects, and things are at higher priority as of now. So we haven't really focused on that.
Using Splunk, we can check out what server versions we have. If we just cross-check with the database, we can see if we have any availability and then we can pull in the files. If you have a database, you can perform a query to check for any particular problems in the entire environment. For the threat notifications, it's quite helpful.
Indirectly, it's helped us reduce our alert volume. If you have a list of files, you can run it through the environment and, based on that, create rules and exceptions. This indirectly helps reduce alert amounts. You can go through false positives and sort them out as well and create a rule against them.
It's helped speed up security investigations. Being a central hub of logs, we can jump into a different log or source and jump into any investigation. You don't have to jump from one tool to another. This automatically reduces the investigation time.
There are lots of free learning materials on their website.
Overall, things are quite easy. It's a simple solution.
View full review »SK
Shakti Kumar
Senior Engineering Manager at Happiest Minds Technologies
The triad is one of the best features. The product has a good security posture. It provides many customizations.
View full review »The most valuable function is the notable events. When I joined the team, I asked them what they could currently see, and they said nothing. I was pretty shocked. I know that they were using Enterprise Security or at least they had purchased it. I told them that there are several dashboards within Splunk that we can leverage. There is also notable events where we can see potential incidents or potential alerts about the infrastructure and the network itself.
The dashboards give us numbers for malware infection. So long as those dashboards are actionable, they help the SOC team a lot.
It's important to respond to incidents in a timely manner. Having end-to-end visibility across the board equips the team to make sure that whatever incident happens, it has a very minimum impact on the business. It also allows us to fix things that need to be fixed immediately. That's the asset of having end-to-end visibility across the board.
Enterprise Security really helps us normalize our data because it comes with predefined dashboards, so we only need to ingest the logs and Splunk will do the work to display what we need to see on a day-to-day basis.
When we started using Splunk, we had tons of false positives. We reduced our alerts by 90%. Most of our alerts now are actionable.
View full review »The solution's most valuable feature is the criticality of alerts. Some alerts can be noise, and others will be more high-level and warrant a higher-level response than others.
View full review »The primary feature that is the most valuable is the correlation feature, which helps you analyze the data. If there's a lot of telemetry data at some point, Splunk can take advantage of it. It can handle a large volume of data.
Now, with big data, AI, and all those things, the amount of security data that is generated is too high. Generally, the other SIMs face trouble when handling big data. However, Splunk itself is a very strong solution for handling lots of data. It helps the SOC team analyze data very well, and it does not crash on handling a large amount. That's a key benefit.
Our customers usually monitor multiple cloud environments. It's not very difficult. There are two ways we use Splunk. One is that they can be multiple cloud environments. The second is that it can be an on-prem and a cloud environment. We are mapping it to our one solution.
Splunk is very flexible and it's integratable with other solutions
If you want to understand how it can analyze or find out incidents, the visibility is good. The best visibility would always be in the on-prem environment. Then, the cloud, since Splunk is not a native cloud solution like Microsoft's Sentinel, is used. We don't see a lot of challenges if we do a hybrid kind of setup, however.
I'd assess Splunk's insider threat detection capabilities to help find unknown threats or anomalous user behavior at an eight out of ten. Splunk itself uses another agent or another module to do it. Splunk does the job. It's not that it will not do the job; however, it will require more refining than other solutions in the market.
My team uses the Splunk Mission Control, topology, and attach framework features, which are really helpful. We've used it for multiple customers. We take their existing SOC or detection use cases and try to map them to the framework. From a security point of view, it obviously makes a solution more superior. With Splunk, you can catch more security incidents. From a best practice standpoint also, it is a good thing as we can configure the solution, and, according to that configuration, the entire performance is better in terms of security.
It's very useful for assessing malicious activities or detecting breaches. It's a robust solution.
We've been able to help customers detect threats faster. It might be 5% to 10% faster in some cases. And since we can analyze large volumes of data, we're not missing any particular data point or data set. That gives us an advantage.
Splunk helps reduce alert volume. You can reduce your alert volume based on your configuration, and it's highly customizable, so it can help you reduce alerts by a lot. It's helped us improve the quality of incidents we receive.
It's helping customers speed up security investigations somewhat.
It improves the resilience of a company thanks to its ability to quickly analyze data.
View full review »Splunk Enterprise Security offers two valuable features: the Common Information Model and arrangement modules. The CIM helps standardize data for efficient searches, while arrangement modules automate incident log processing by enriching them with contextual client information.
View full review »The Splunk queries are valuable. There are a lot of query options available in Splunk compared to Sumo Logic.
View full review »VN
Viktor Nagy
Owner at Infrasec
The most valuable features for us include its robust log management capabilities, which allow us to efficiently handle and retain logs for extended periods as needed. The flexibility to customize log retention periods is particularly beneficial. Additionally, we find the dashboard functionality and the advanced query language options to be highly valuable. These features, especially the powerful query language, are extensively utilized in our day-to-day operations.
AG
Anat Garty
Chief Cybersecurity Architect at cytek-security
The ability to digest any information and then correlate it in accordance with what you need is valuable. The ability to connect to pretty much everything and bring the information in the same format is also valuable. On top of that, we can use their language in order to create and customize the dashboards, correlations, or analytics that we want to incorporate. They also have a lot of out-of-the-box correlation that we can use, which is awesome.
View full review »JB
Reviewer343335
Security Engineer at State of Nevada
The incident review is great for working inside of a SOC if we want to see everything and we want to configure notables and have all notable features, it's useful. We're moving to SOAR right now for configuration for our work center. As far as ES in our work center, just detecting our notables and monitoring all our traffic, is the most important feature as far as what our day-to-day is concerned.
Splunk has helped us with mean time to respond, although I don't have exact numbers.
Splunk has helped improve our company's resilience level.
Splunk is very good at predicting, identifying, and solving problems in real time. I've never used anything else, however, I'm impressed with the ease of it and the ability to find anything and everything we need.
View full review »Risk-based alerting is the most valuable feature. It really allows me to drive down the alert count and the alert fatigue for my analysts to make the alerts they see more valuable and actionable. The way that alerts are handled is better in Splunk. SPL is easier in Splunk. The UI of Splunk makes it easier for our analysts to move around and see what they need to see.
View full review »The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge.
View full review »The most valuable feature is the custom dashboard feature.
Splunk is robust and user-friendly.
View full review »VK
Venkatesh
Security Analyst at a tech services company with 1-10 employees
Splunk is very fast and user-friendly as well. The UI and design is user friendly. It is easy to understand.
We can do a lot of things on Splunk. We can integrate a lot of other applications on Splunk. And that can be used for day-to-day security operations. It is easy to use, easy to implement, and it is fast. It is reliable.
Our organization monitors multiple cloud environments. We monitor all the infrastructure and cloud environments of clients.
It is easy to monitor multiple cloud environments with Splunk. You have to get clients onboarded to Splunk first, and then the monitoring part comes last. We have a couple of things that have to be done before the security team starts monitoring. For example, we install the agents and set up the hosting. We get the data from the host, we pass it. It is quite a lengthy process. It is easy, however, we have to do it very carefully and cautiously.
Splunk Enterprise Security provides visibility into different environments.
The solution's insider threat detection capabilities for helping our organization find unknown threats or anomalies in behavior are good. We have multiple security frameworks. For example, we have micro frameworks. There are different sets of rules. We set it. What Splunk does internally is just match the incoming logs. Based on the rules that we have set, it will match with the incoming logs. If it matches, then it will generate alerts for the security team. Based on that, we can identify if there is a potential threat trying to get into the company or internal infrastructure.
The actionable intelligence provided in Splunk Enterprise Security is good.
It will help us to automate things and can handle certain items on its own. It will just investigate, remediate, and close the necessary alert. If it is beyond Splunk's capability, then an investigation team will be involved in it.
I have used the threat topology and attack framework feature, however, now I am more of an administrator.
Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. There are a couple of other tools as well, which do the same thing. However, with Splunk, it's very easy to work with the dashboard and do search queries. You can easily look through the logs via Splunk UI.
The solution helped reduce our alert volume. It will just minimize the false alerts, and just post positive alerts. It's likely reduced false alerts by 60%. A lot is automated now and that helps cut down on manual work.
The solution has helped to speed up our security investigations. Once again, the automation will speed up the process of investigation. It saves a lot of time for analysts as it allows them to see the initial data. If a team has multiple alerts, it will take them time to go through and check everything. However, Splunk does the initial investigation for analysts and will escalate to analysts as needed. It might have reduced security investigations by 80% compared to earlier versions.
The most valuable features of Splunk Enterprise Security are the enterprise search bar and the dashboards.
View full review »YK
Yu Kuan
Information Technology Consultant at Paul G. Allen Building
The solution's most valuable feature is the dashboard, which allows us to see everything on the same page and provides easy visibility into problems.
Splunk Enterprise Security has helped us find security events in our on-premises environment.
It has helped improve our organization's ability to ingest and normalize data. Splunk does a good job of identifying and solving problems in real-time.
We have reduce our alert volume by 80%.
The solution provides relevant context to help guide our investigations. Splunk provides pretty detailed information. Based on that information, we can assign it to different teams.
It has helped speed up our security investigations by 40%.
Splunk Enterprise Security has helped reduce our mean time to resolve. In most cases, we're able to solve issues in less than 45 minutes.
View full review »The availability of the data and the fact that we're able to collect a large amount of data into the system and analyze it is valuable to us. The product’s speed and availability make it really useful for us. I'm excited about the additional enhancements to the machine learning toolkit. To be able to use it more is exciting to me.
View full review »BC
Bryan Castleberry
IT Specialist at a government with 10,001+ employees
Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me.
They offer training. That is a big part of it. If you do not understand the tool, they are able to provide everything that you need, which helps the business. When you have learned a tool, you are able to speed up the process meantime, so you are not wasting a lot of man-hours trying to figure things out.
View full review »PR
Prince Rienne
Cyber Security Analyst
The ability to easily aggregate data and make meaningful reports is what makes Splunk Enterprise Security excellent. If I want to search for the number of failed passwords, I can go to my index, write my query, and create a report quickly. When my manager wants me to create a report concerning a particular incident, I go to my dashboard, type my query, create my dashboard from there, and everything works out smoothly.
View full review »The solution's most valuable feature is threat intelligence correlations. It's too hard to stay up-to-date on all the different data feeds yourself. So, having a tool that does it for you is very beneficial.
Splunk Enterprise Security has increased our alert volume because we now have new data to work with, and we're writing more alerts. We don't use the solution a lot for observability. Usually, our primary use case for Splunk Enterprise Security is cybersecurity.
It is extremely important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That's the primary reason we use it. We want the ability to do everything from one tool without having to trash back and forth and take that precious time.
Splunk Enterprise Security has helped reduce our mean time to resolve. We're at least twice as efficient with Splunk Enterprise Security at identifying risk, following up, tracing it throughout the chain, and resolving it. We still have various toolings, but over time, the goal is to nest everything into Splunk Enterprise Security to make it cohesive from end to end.
View full review »I am enjoying our implementation of risk-based alerting. That has helped very much with cutting out a lot of the noise that we have. It has reduced our alert volume significantly. There is about an 80% reduction.
View full review »SK
SureshKumaresan
Cyber Security Consultant at HCL Technologies
Splunk's advanced threat detection capabilities are excellent. Recently, Cisco acquired Splunk, so many customers are migrating to the Microsoft platform, but historically, I've found Splunk does a better job of correlating and collecting the security logs of all kinds of appliances. Most customers want to consolidate their security products into Microsoft.
It supports just about every cloud solution. It is easy to collect and correlate all the data. The visibility is good. Insider threat detection can be customized. My customer was integrated with many third-party credentials and other threat sources as well. The integration part was seamless and easy. The rates for allocating valuable information and IOCs from different sources are also good.
Splunk Enterprise Security has helped speed up our security investigations.
View full review »RA
Raheel Asim
Security Operation Centre (SOC) Analyst at Nera Philippines Inc.
The solution offers a variety of good features. It has a simple user interface where we can find various options easily. The search functionality is great.
Integrations can be done easily. It’s not complex like other solutions, like Radar or Azure. Everything is easy to manage, including the low sources.
The visibility is continuous. We have different web servers, databases, routers, endpoints, et cetera, and we gain visibility from a security perspective to all of them. We can generate different types of dashboards to visualize traffic from various resources.
We can see user behavior and have access to user behavior analytics. We also are able to have some custom rules that allow us to effectively continuously monitor the activities of our users. We use a third-party solution for that.
Splunk Enterprise Security is helpful for analyzing malicious activities and detecting breaches. I can take various logs from log sources and centrally manage everything via custom rules. We have been satisfied with the capability to analyze malicious activities and detect breaches.
It helped us with faster detection of threats. If we compare it with other solutions, it is much faster. For big organizations that have their logs and terabytes, working with something like QRadar takes lots of time. Splunk is much faster.
Since the time of deployment, we've been able to use all of the features and integrate rules and use cases with threat intelligence. We've reduced false positives by 90%. Between the first and sixth months, we reduced our alert volume by 50% to 60%.
Splunk Enterprise Security helped speed up our security investigations. We now have an in-depth insight into endpoint usage. We've saved about 60% of our time if you compare Splunk to how we were operating before in terms of monitoring.
View full review »The correlation search functions that generate all the notables are valuable. That can get pretty complicated, and it handles that pretty well.
View full review »I am a basic user. The search lookups are useful.
View full review »From the class that I took this week, being able to create notable events from whatever you find in the data set is pretty useful.
View full review »It provides a risk score for each object, device, or user. We can then take action if they are at a higher risk.
View full review »DS
Dimitar Simidchiev
Security Analytics innovation lead at a pharma/biotech company with 10,001+ employees
You can integrate Splunk with third-party security automation solutions and set rules for automatic response. Splunk can monitor multiple cloud environments, but it's a little tricky if you're working with several vendors. Every cloud environment is slightly different, and some are better integrated.
The visibility into multi-cloud environments is decent. It depends on the number of sources you have, and Splunk is pretty flexible from that perspective. You can add any type of data source. The challenge is the engineering effort some of these data sources require, but others are effortless to manage.
We haven't used the insider threat capabilities yet, but it's an area that we want to explore. We have other tools for this. We use different products for threat intelligence.
The tool drastically reduces SOC overhead. Its integration with our tool suite is great and helps us correlate events. The solution is also a lot faster than our standalone instances.
Splunk Enterprise Security helps address our customers' missions. We want to ensure that our environment is secure and safe and detects anomalies and threat actors as soon as possible.
The solution helps my organization's ability to ingest and normalize data. It has also improved resilience.
In the context of apps, we use a lot of search and reporting. We create many searches and reports, that quickly summarize a lot of information. That's the part that I mostly look into. That has been very valuable. I also like the dashboards and visualization features.
Its ability to provide end-to-end visibility into our environment is important. It helps a lot, especially when other users or stakeholders want that information. So being a little more transparent, but being mindful of the compliance and rules associated with that. It makes it really easy to communicate with people. They want statistics fast. The ability to quickly pull it out without a hassle is very valuable.
We use Splunk to try to reduce the number of random alerts sent out. We're trying to consolidate a lot of functions. That has been very valuable and helpful for us.
The logging system has been a great help to us. Sometimes when we try to integrate some functions, we're not sure what errors happened. We look into the logging system, and it provides so much information.
These optimization examples have reduced the meantime to resolve. It has been reducing cutting time.
It definitely helps our business resiliency a lot. We have a specialized cybersecurity office and on-prem technology and they really like to use Splunk. It has been addressing a lot of concerns and it is able to output the data that people are looking for. It's able to predict and identify a lot of functions.
Splunk Enterprise Security has been a great help to us in consolidating our tools. It's definitely been pulling a lot of data, especially from the network side of things. We look at it for baseline security tests. Splunk has a lot of apps and add-ons that we have been using Enterprise Security for.
View full review »Correlation search, in general, is valuable because it allows us to search multiple data sources easily.
View full review »The solution's most valuable features are the granularity and analysis of the logs. Once you learn the syntax, it's a great tool. These features are important to us because they enable us to drill down to certain users doing certain things and perform trend analysis.
View full review »There are a lot of third-party applications that can be installed. You get a lot of good visibility on your infrastructure regarding risk. It's very data-driven, and it integrates into systems well.
We are able to monitor multiple cloud environments with Splunk. Each data source has different stuff that requires monthly payments.
I have used its threat intelligence management function. It can be a very useful feature for customers.
The MITRE ATT&CK framework is helpful for helping uncover the scope of incidents. It offers a good level of simplicity.
Splunk Enterprise Security is great for analyzing malicious activities and detecting breaches.
AB
Amine Besrour.
Risk Manager at Samapartners
Three features stand out for me: the SDK for writing Python, the customizable and adaptable diagnostic dashboard, and the optimizer for collecting data.
View full review »Integration with the cloud is pretty important and good for us. We found the integration with a lot of tools, not all tools yet, valuable. It does make the transfer of data, log files, and other things easier for us.
View full review »The most valuable feature is the incident dashboard, and the extensive use of correlation searches, which isn't available with a standard Splunk search package. This feature is important to me because it enables SOC analysts to do their job more efficiently and be able to investigate or mediate incidents at a faster pace.
Another benefit is the expansion of the use of ITSI, SOAR, and now Mission Control being able to holistically monitor an environment with one tool. Also with Mission Control, we have the ability to have one interface.
It's very easy to monitor a single cloud with ES solutions. I've worked with several other SIEM tools before and Splunk does it better.
Splunk's ability to predict, identify, and solve problems in real time is good. They do it better than other tools.
View full review »I like Splunk's data aggregation and search capabilities. The insider threat detection features are handy, and Splunk's user behavior analytics are solid. It's one of the best tools for UBA. It covers everything.
Splunk's Threat Intelligence Management draws from 10 to 15 open-source sites in real-time, enabling us to correlate our data with the IOCs. It helps us detect zero-day attacks. Splunk's threat topology and MITRE ATT&CK framework cover everything, including endpoints and application security from Layer 3 to Layer 7. Most queries are available out of the box.
It's a fantastic tool for monitoring your environment. It allows you to do some granular analysis and see which assets are part of an attack. When breaches occur, you can quickly search your entire environment. It speeds up our threat-hunting process.
View full review »Splunk's strongest suit is its user interface. We can integrate multiple solutions and adjust settings in the Splunk interface. It's easy to manage multi-cloud environments because we can use rules to segregate the data and restrict our clients from seeing each other's data. Splunk has a lot of plugins and add-ons that provide a lot of information about our cloud and on-prem environments.
Splunk's MITRE ATT&CK framework is excellent, but I haven't used it for investigation. I'm primarily involved in implementation and development. Splunk Enterprise Security is solid detection-wise and faster than many other SIEM solutions.
We already have an antivirus solution in our environment, so Splunk detects viruses based on that. Once the antivirus detects something, it generates an incident in Splunk that we can investigate. The detection time depends on a few factors, but we can detect a threat in two to five minutes under ideal conditions.
View full review »The varied prebuilt feature is the most valuable because it ensures that we have complete coverage over all of the key questions. By seeing how others analyzed the data, we can develop new dashboards and approaches. It is always helpful to see how someone else used a tool to spark ideas about how we can enrich our items based on our specific needs. This feature covers a lot of our core general questions and is helpful, but it also allows us to see what someone who is really focused on this area has done and how we can tune and tweak it to our needs.
KY
Kent Yan
Information Security Analyst at a leisure / travel company with 1,001-5,000 employees
Its alerting is most valuable. We have alerts set up in our environment for certain attacks, such as an SQL injection attempt. We have a front-facing server for the website. It is out there, and anybody can access it. When those SQL injection attempts come in, we can detect that with the alert. We get the alert in our mailbox, so we can start looking at it right away. Generally, with a SQL injection attempt, there is way more to it than just the SQL injection. There could be another 15 or 20 different types of attacks attempted during the injection. They are just trying to see if there is any vulnerability, and then they can take a shot at it.
View full review »The dashboard is amazing. Out-of-the-box dashboard is very good. It is very user-friendly. It is out of the box. With a few clicks, the dashboard is there.
View full review »I like the Splunk dashboard and search engine.
View full review » I like how easy it is to integrate the logging of all of the various nodes. The product also offers nice connectors. Other features include the product's ability to allow users to customize their dashboards, signatures, metrics, and other elements, making it a very valuable and reliable tool for my organization.
AZ
Azita Zoughi
System Engineer at Tara
We use Splunk for security and tracking what happens on our network and it is effective at that.
We like the big data analyzer.
The dashboard and alerts are good. We can use them for monitoring to see what’s happening on our network. It’s centralized. It gives us good visibility into multiple environments. We can use it in Windows, Linux, et cetera.
We can use platforms and integrate everything together. We can see multiple environments on-premises.
When something happens, we get alerts via SMS or email.
We use the MTTR attack feature and it is very effective to use for detecting threats.
We can also schedule reports on a monthly or weekly basis.
It’s very useful for tracking. If you can look at the steps and see what happens, you can investigate effectively, and so on.
Splunk Enterprise Security is excellent for analyzing malicious activities and detecting breaches. We can see, step by step, what happened. We can escalate and investigate and so on.
Splunk has helped us detect threats faster. The alerts are very effective.
It helped to reduce alert volume. I’m not sure precisely how much, however, it depends on how many client devices you are tracking and analyzing.
Splunk is a suitable resource for collecting logs.
View full review »I haven't had the chance to properly sink my teeth into Enterprise Security but so far I like that they added the MITRE ATT&CK features.
This feature helps us know how to plan when we have an incident, know where to look, what to look for, and aspects like that.
The MITRE ATT&CK planning is valuable. When we see those incidents and those logs, having the information right there speeds up the process a bit.
We did not have a SIEM at the time, so we added Enterprise Security as our SIEM. We're hoping to learn more about it and grow as we progress.
View full review »The risk-based alerting (RBA) is one of the valuable features. It's a really cool concept to explain and see the impact that you're having on the company.
Splunk Enterprise Security's ability to find security events across different environments, whether in the cloud, on-premise, or hybrid, is really good. Because it gives me a lot of content out of the box, the only thing I need to do is ingest the data, and I'm good to go.
View full review »The most valuable feature is the incident review, which gives a good overview of our security incidents. I also like the solution's search functionality, which makes it easy to find things.
Splunk Enterprise Security generates our alerts, and we would have to refine the searches if we want to reduce them.
It's very important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment.
Splunk Enterprise Security has helped reduce our mean time to resolve and helped improve our organization’s business resilience.
View full review »It is pretty good. We can extract the metrics we want on the dashboards. We are able to react to the incidents. We are also able to monitor the service. In addition to the incident response, we can also do investigations, fraud detection, and other things like that.
View full review »AB
reviewer2528960
CISO at a manufacturing company with 1,001-5,000 employees
Splunk Enterprise Security helps with advanced reports and keeps the system scalable and flexible. It provides a clear picture of the current status of any incidents. As a CISO, I see a lot of potential for future innovation, which is interesting. I've noticed better performance, especially with the reports.
View full review »The solution is the market leader.
Our customers are always looking to partner with market leaders as you can't go wrong with them.
Customers can monitor cloud environments.
The threat detection capabilities are quite fast and efficient based on my customer's feedback.
We've used the MITRE ATT&CK feature and it's good. It's pretty standard and comparable to IBM. Most products offer this as well.
It's good for analyzing malicious activities. It's good as an overall platform. It's good at detecting threats. It's a basic feature that is quite effective.
Splunk can help to reduce alert volume if you configure it properly.
They are a market leader in a lot of areas in terms of features and functions.
It helped us speed up security investigations. I'm not sure of the exact percentage it helped us speed up by, however.
It has a lot of basic and standard features.
It is a full-fledged solution that provides everything a company needs.
View full review »It gives us good visibility into multiple environments, including cloud, on-premises, and hybrid; irrespective of platform.
The UI is also very friendly. You don't have to work very hard to find things.
View full review »Splunk enables us to customize dashboards and queries, and we can add multiple admin users. We only use the essential parts, including the MITRE ATT&CK framework capabilities. Organizations share threat information under the MITRE ATT&CK framework. We do threat hunting and marketing based on that.
We do manual threat hunting. We get all the IP addresses and check the threat databases to determine if it's malicious.
View full review »Splunk incorporates a lot of elements that help to reduce security risks. For it to reach certain compliance, we need to have some security insight. Splunk is a very good SIEM, it’s a top solution, but the best feature is its cost of visibility. We have all the most important features to detect vulnerabilities or risks.
View full review »We use the threat intelligence management feature.
We have been considering implementing certain frameworks, such as MITRE ATT&CK or threat topology features.
It contributes value by enhancing resilience, crucial for adopting a Security Information and Event Management solution. Site resilience is imperative for our organization, meeting a key security requirement.
The features are fine; they aren't exceptional in any way.
We are using Microsoft 365 and we're using the Exchange Mail Service. It's good for monitoring that in particular.
The visibility we get has been good.
Inside threat detection capabilities are good.
It's helped us to reduce our alert volume a little. I haven't properly calculated it fully so it's hard to lay out a percentage.
NS
Nadine S.
Security Engineer
Incident Review and correlation search are valuable features. These features help us create correlations and have good actions afterward. The product provides visibility and enables us to correlate data and generate alerts.
View full review »The notable events and the incident review features are the most valuable. It gives you an overall idea of what's going on in terms of security in the environment.
I also like the automation. We write custom scripts and automate certain tasks. That's also interesting. This feature saves us time.
Splunk is capable of doing a lot in real-time with data coming in that is a terabyte in size, you can still do searches in real-time. We have correlation searches that do similar functions.
It has a lot of the features we're looking for.
View full review »YT
Yoganantham Theerthagiri
Regional Channel Manager at i2sBusiness Solutions
The dashboard and reporting are very good. Our clients monitor multiple cloud environments and Splunk helps because, in general, monitoring multiple cloud environments is definitely difficult and very complex. It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk.
The solution is also very good in its threat-hunting capabilities and anomaly detection. It uses an AI-based detection system to identify real-time anomalies and provides complete visibility into the network.
And you can feed multiple threat sources into Splunk and the Threat Intelligence Management feature gives you information about current or potential attacks. It provides complete security support in the threat intelligence space. It helps your administrator to correlate indicators of compromise from threat intelligence databases and feeds.
Also, the Splunk Mission Control feature, which is mainly for Splunk Enterprise Security cloud users, provides a unified and simplified security operations experience for SOC analysts.
We also use the solution's Threat Topology and MITRE ATT&CK framework feature. That's something you need for cyber breaches to contain a threat. This feature comes into play when you need to mitigate an incident in your environment.
View full review »Splunk works based on parsing log files.
View full review »The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly.
We have about a 500 gig license with Splunk, so it's not like petabytes of data, but even 500 gigs is kind of hard to sift through sometimes.
View full review »AG
Austin Greenbaum
Information Technology Specialist at a healthcare company with 10,001+ employees
From my experience, the visual aid that it provides is most valuable. There are charts and other means to provide information.
View full review »CD
Chris Danshaw
project manager at ManTech International Corporation
The ability to ingest different log types from many different products in our environment is most valuable.
It seems to have everything in terms of features. Every time I think of something, I go out to their site, and I can pretty much find it.
View full review »The metrics and trends that Splunk Enterprise Security generates using all the data points we send allow customers to understand better what their users are doing.
View full review »GG
Gatlin Gates
Security Engineer at By Light Professional IT Services
Being able to track impossible travel logins and things of that nature is valuable. We can track user logins from various IPs, various countries, and at various times to see if everything adds up. We can check to see if it makes sense that someone logged in from China and in the US within an hour.
Enterprise security is the solution’s most valuable feature.
Its reporting functionality is excellent.
I really like the user interface and how it works.
It’s scalable.
The solution is stable.
You can integrate any other tool or any other solution, including existing solutions, with Splunk. They have a good setup.
The log analysis is something that is good. In general, data analysis is something you can do in Splunk in various ways. You can leverage it as per your requirements or as per your investigations. You can write your own queries and complicated queries, and you can have your own alerts. You can correlate events. It’s very flexible.
View full review »The monitoring and the security functionality are the most valuable aspects of the solution.
It is easy to set up.
It is very scalable.
You can basically make it do whatever you want, from log management and monitoring security, intrusion detection, prevention, and linking to your antivirus to report to it. Having kind of a single point where everything feeds in and create dashboards however you like is useful and works with how many ever systems you want in that dashboard.
It is a very well-organized solution. I find it more user-friendly than ArcSight and QRadar. I can search, and I can do whatever I need in terms of dashboards, reports, etc.
It is the best tool if you have a complex environment or if data ingestion is too huge.
View full review »AS
Avraham Sonenthal
Senior Network Engineer at a government with 5,001-10,000 employees
This is a very capable and flexible solution. It's based on Linux and even Windows installations use the Linux file structure. You can use it to gather syslog messages from anything; jet engines, fin-tech financial institutions, banking, regular enterprise, etc. You can gather the messages from network equipment, elevators, anything you can think of that generates syslog, and Splunk it. They also have a good API so you can write your own code to talk to it or interact with it. The solution has a lot of applications that people have written. It's the best solution on the market.
View full review »The most valuable feature of Splunk is security information and event management(SIEM). Additionally, the solution is easy to use, has useful reports, and good interface.
View full review »MS
ManojSingh
Senior security consultant at a comms service provider with 51-200 employees
One of the most valuable features is threat hunting. We can do threat hunting and identify if there is any malicious activity happening within our environment, which is a key feature for us.
View full review »The additional vendors we've brought on board, particularly the Elastic, have been quite beneficial.
It's a solid platform.
View full review »What is nice about the solution is that it makes it easy to build the queries, search for the events and then do analysis. I recently have become involved in the Playbooks, since it is painful for the client to respond to the threat, be it positive or negative. As such, I currently see the Phantom component of the solution to be of great value. Otherwise, most other features seem to be similar to Netwitness, such as the monitor log, network, and endpoint capabilities. Importantly, the solution lacks endpoint options, as these are currently deployed on Cisco, which is okay, as it works fine with that bad side of the endpoint security. This translates into them building queries, rules and then Playbooks.
The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand.
View full review »The flexibility of the search capability is most valuable. You can use it for more than just a basic log aggregator. It is powerful in that regard.
View full review »The most valuable aspect of the solution is the ability to capture the different data streams. We also appreciate the reporting in that aspect of Splunk. If we can grow now, with any security arena, it's going to be proactive, not reactive. It allows us to digest the information, the data, the different data streams, so we can make decisions based upon information that we receive, and it is pretty robust.
View full review »The most valuable aspect of the solution is the dashboard. It's very intuitive.
The reporting is excellent. The team and the SOC analyst are able to easily track the alerts and the correlation is very good compared to other SIEM tools.
View full review »The ease of use and building queries, specifically SQL queries, is notably beneficial as it is easy to build, and the data model itself is very simple. The advanced correlation capabilities are very useful for identifying patterns or malicious activity of users.
View full review »The deployment server is very good and is one of the best features of Splunk Enterprise Security for me; you can use that deployment server even for distributing any agents, upgrading automatically, and universal forwarders. Its search is very flexible, allowing you to search anything by typing a sentence.
View full review »RB
Russell Barber
Spelunking Consultant at BlueVoyant
The solution's most valuable feature is its data modeling. Splunk has data from so many different vendors. Moving all that or normalizing that to the data models allows us to look at one place holistically across all the different inputs.
View full review »Splunk would be my choice for the presentation layer because it comes with inbuilt reports and a dashboard that you can customize.
View full review »Splunk provides a free version so you can test it before purchasing. It's better than IBM, in my opinion, because it's an independent entity. IBM, for example, if you want to use EDR, and other features, you must use the features of other companies, such as ServiceNow and Jira.
I am still exploring the features provided in Splunk. As I have not used it for a long time, I don't have a clear vision of it.
View full review »Splunk has machine learning which is a valuable feature.
View full review »EG
Ermal Galo
Information Security Officer at a financial services firm with 501-1,000 employees
The log management is great.
It has a very good alert tool that you can create with the logs that Splunk gets.
You can check up on security from the dashboards. We use some custom applications which we have created by ourselves. It's very helpful to have custom dashboards with knowledge of the system of what we monitor.
The initial setup is simple.
We have found the solution to be stable.
Its scalability is quite good.
View full review »Splunk is quite flexible for our customers. Splunk does not filter from a specific lock, you can define it later.
View full review »The connections to the database are very good and updating the data files is simple to do. The dashboards are useful and user-friendly.
View full review »KB
Kenneth Barnes
CTA\Owner at UCSolutions
The SIEM is the most valuable feature of the product.
Having a better integration method and then ingesting and mapping the information have been somewhat easier than some of the other tools that I've used previously (other than QRadar and Rapid7).
The initial setup is pretty simple.
The solution is scalable.
Stability has been quite good.
The pricing is pretty decent.
View full review »AE
Ahmed ElSanhoury
Head Of Sales at Cascade Solutions Inc
Splunk has a great platform. Their edge is in their lock management and being a very powerful lock server. Recently, they added some licensing and updated correlation rules to act as a SIEM Solution. They seem to be penetrating the market in a proper way.
View full review »RW
Rajiv Warrier
Regional Head at a tech services company with 51-200 employees
It's basically one of the best SIEM products on the market.
The scalability is great.
We have found the solution to be stable.
Technical support is helpful. They respond in a timely manner.
View full review »Splunk handles a high volume of data that we have, and it does it really well.
For what we're using it for, we're happy with its functionality.
The reporting aspect is good and it does what I need it to do.
From an operational standpoint, it helps us on the operations side and it also shows where we're having issues.
It connects to a lot of stuff. We can collect information from a lot of sources.
View full review »We have found all the features useful. However, the dashboarding and logging have been very helpful. Additionally, the log analysis does a great job.
View full review »The most valuable features in Splunk are the search function and the ability to run selected session reports. The session reports are important because I can use them to see what is going on in our environment weekly. Additionally, we can use the graph to see how often that particular event is happening.
View full review »AM
Attila Mate Kovacs
Senior Cyber Security Expert at a security firm with 11-50 employees
The speed is a very valuable aspect of the solution.
The way Splunk handles low data and low-rate costs are great.
The level of robustness on offer is very good.
The initial setup is very straightforward.
We have found that the solution offers good integrations with other products.
Overall, the solution works very well.
View full review »Splunk can quickly be deployed and it's not difficult to learn the solution.
View full review »MK
Md. Iqbal Karim
Technical Account Manager at Trustaira
The solution's capability is its most valuable aspect.
The initial setup is very straightforward.
The solution has proven to be quite stable.
We've found the solution to be very mature.
The integration capabilities are excellent. They have apps that integrate quite well with Palo Alto and Cisco, for example.
View full review »AB
Arpan Balpande
Senior Information Technology System Analyst at YASH Technologies
There are quite a lot of things that we find useful. Splunk agents are useful and good. Its UI is quite impressive.
View full review »The most valuable feature is the reporting and the information that is provided by the tool.
It is very easy to implement a PoC using Splunk, which will show the value of the reporting and data that it provides.
The integration is seamless with many devices and operating systems.
It is flexible enough that you can choose what kind of deployment model you want.
They have a large solution toolkit that supports IoT, wherein businesses can get a lot of help with the centralized management functionality. There are also tools to assist from the security and SIEM perspective, and there is a centralized dashboard.
View full review »The ease of log connection has been great.
Its compatibility with other SIEMS is very useful.
They have many basic use cases that we like.
The cloud version of the solution is especially scalable.
The product has been quite stable so far.
The initial setup is very easy.
View full review »The Splunk programming language allows you to pipe searches into another searches.
What I really like is that even if you have already collected the data, you can extract data and add fields which improves building searches. This is not the case with Elasticsearch, where this needs to be done upfront.
View full review »The features I have found most valuable are the dashboards.
I monitor the complete capacity that users are using in the company.
The models that we use are pretty mature at this point, which means we can be assured we are given the best use cases right out of the box.
We can just plug into the applications and everything is set up. There's very little configuration necessary.
The integrations that are offered with different tools are all very good. They offer integrations for all levels of security and have offerings from some of the other major solutions in the space.
The initial setup is pretty straightforward.
View full review »JO
Julio Ortiz
General Manager at Intersoft S.A.
The correlation capabilities are the first value that our clients say they like with Splunk. Another benefit is that they can connect to any device or log from any device from anywhere.
It's easy, the tool is very easy to install and set up.
View full review »The most valuable feature is that it's very good for log aggregation.
View full review »The most valuable feature is the log aggregation, being able to scan through all of the logs.
View full review »The logging features are useful as are the dashboards and alerts in addition to the organization of data. It has options for creating dashboards and alerts. You can also create queries in the SQL language. Splunk is a user-friendly solution.
View full review »Splunk can extract all kinds of data. There's no limitation on what kind of structured and unstructured data one needs to extract — it can access any kind of data, including machine-generated data.
The ease of deploying the agent is great in Splunk. One can easily deploy the Universal Forwarder which can extract any amount of information and put it into an indexer. The flexibility of ingesting any kind of data is good with Splunk.
In regards to action-oriented tasks, If an alert is triggered where I have to perform a certain action in the form of executing a Python script or invigorating a PowerShell script — this is easy to do with Splunk.
The Splunkbase is great. There are thousands of apps that are already available, I can install those apps with full-connectivity and use them to extract any form of data. The community in the Splunkbase is also really strong.
The ease of integration with third-party tools is great. In the Splunkbase, there are so many apps that are easy to integrate with.
The user interface is really good. There is a machine learning toolkit — I like it a lot. They have use cases in place so that people with little experience in machine learning can go through these examples of use cases and gain a better understanding.
PB
Praful Bhatnagar
Principal Systems Engineer at Aricent
It's the completeness of the solution that we like the most. It has a solution for backend log analytics, but also one for mobile applications.
View full review »PB
Praful Bhatnagar
Principal Systems Engineer at Aricent
The completeness of the solution is what we like the most.
View full review »ST
Sena Nur Tüvsüzoğlu
Junior SAP Security Engineer at Sagesse Tech
The graph visualization is the most valuable feature.
View full review »The indexing and data collection are valuable.
View full review »It is very easy to use and integrate. There are connectors for every technology.
View full review »VS
VolodymyrSavov
Splunk BDM in UA at a manufacturing company with 51-200 employees
The fact that Splunk is a platform and not just a SIEM solution is a key benefit.
Our customers like that they can use Splunk to optimize their security.
View full review »AK
Anjani Kumar
System Engineer at NetScout Systems
The most valuable feature of Splunk is the management and built-in workflows.
View full review »MC
Marcelo Canedo
Presales IT at a tech services company with 201-500 employees
The product is good, it satisfies our customers.
View full review »The most valuable features are how stable and easy to use Splunk is.
View full review »I like that the solution is easy to use and stable.
View full review »We enjoy the whole solution. It is meeting our requirements, especially the SIM solution.
The alerts are very user-friendly.
We can easily configure things as required in relation to our use cases.
The search functionality is good. It works like Google.
Onboarding is quite easy.
The scalability is good.
Product-wise, the performance is good.
View full review »AT
Ali Tamimi
Managing Director at Hayyan Horizons
The log aggregation is great.
The solution offers good data analytics.
The dashboards are very helpful.
The initial setup is simple and straightforward.
The solution is low-maintenance.
It's a stable product.
We have found that the solution scales well.
View full review »The most valuable features of the solution are it is straightforward to use and the documentation is good for finding out how to get the data you are looking for.
View full review »I am just a user, and from a user's perspective, it does the job.
It has quite extensive support in terms of integration. If you want to do anything, there are tools for that.
View full review »Its dashboard is valuable. If you have a good knowledge of how to create a dashboard, you can create any dashboard related to cybersecurity. If fine-tuned, the alarms that are triggered for instant review are also very valuable and useful.
View full review »Because I'm security focused, I prefer the security features such as Splunk Phantom and Splunk Enterprise Security.
View full review »AA
AdityaAgrawal
Information Security Analyst at a tech services company with 1,001-5,000 employees
Its integration is most valuable. Its UI is also pretty much easy.
View full review »It provides a lot of analytics with the underlying AI engine, and it is a lot easier than other solutions. There are some products that do automated AI-based detection and drawing up charts, but for network monitoring and all of the monitoring aspects, it is quite a nice tool.
It is very convenient for business users because they get more or less a lot of data readily available. If you're familiar with the Splunk query language, you can pretty much do whatever you want.
View full review »GW
Gregg Woodcock
Consultant at Splunxter, Inc.
- Core Splunk
- Saved searches
- Dashboards (SimpleXML)
With good domain knowledge, one can build almost anything. If you throw in Alert Manager or an integration with ServiceNow. Then, you have your own SIEM.
View full review »The solution has plenty of features that are good.
View full review »Splunk is good at log collection and log management.
View full review »MN
Matheus Nery
Data Scientist at a tech vendor with 201-500 employees
The ability to analyze huge amounts of sales data and accurate prediction of sales forecasting is the most valuable feature.
View full review »The logs on the solution are excellent. Mostly I see just the reports or the outcome, however, with the log portion, where you could actually take log entries and pass them through the system in order to create events or conditions, and get reports. You can set up your conditions to the logs that you invested into Splunk, and get the reports or the output that you want.
View full review »HT
HimanshuTejwani
System Administrator and DevOps Engineer at a tech services company with 10,001+ employees
This is a straightforward solution, easy to configure and difficult to mess up.
View full review »The flexibility of the solution is quite good.
The product is stable.
It offers good scalability if you are willing to pay.
The technical support on offer is responsive.
View full review »RW
Rudi Wicaksono
Architecture and Security Team Leader at CV Akbar Panjaya
All the features are valuable. It helps us uncover bottlenecks in the network.
View full review »MT
Mui Tran
Project Manager at Idemitsu Oil & Gas
The most valuable feature of Splunk is the log monitoring.
View full review »MS
M Ghuyoor Syed
Sr. Manager Information Security at Tapal Tea (Private) Limited
Selecting the relevant events and records.
View full review »The ability to correlate results.
View full review »LF
Luiz Fernandes
Técnico Judiciário at a government with 1,001-5,000 employees
Splunk is a good solution to collect more events than other solutions. It's a good solution, for me, for this reason.
View full review »Log search and alerting/reporting.
View full review »Splunk has many good apps and has a contribution from all security vendors. That's where Splunk wins.
View full review »MC
Marc Chan
Net Sec at a tech services company with 11-50 employees
The search function for splunk is like a google search. You just enter and it will quickly show you the results.
View full review »SD
Shaveta Datta
Technical Project Manager at Altran
It's very flexible. If you look from the cloud implementation it is there. Reports are made quickly. Unlike other tools, it caters to all kinds of technical information on the front very easily. There's no need to put in any technical information. You can pull up the reports very easily, take action, and notify stakeholders.
View full review »RT
RhondaTurner
VMware Engineer at First Data Corporation
- In-depth logs
- Add-ons
- The ability to ingest data from other tools
- The detailed log view
- It's easy to read
BW
SenNetwork4433
Senior Network & Security Architect at a insurance company with 501-1,000 employees
It is quite extensible. It is a platform that we can build our use of each case instead of each case being limited or restricted to each capability. This is probably the best feature.
View full review »The user can apply for all kinds of device systems, no matter whether he/she is using Windows or Linux. It can easily collect the logs. In addition, the user can have an index which can help us to collect and analyze all kinds of logs and find the outstanding issues.
View full review »TF
Tony Fabrikant
CTO at IHS Markit
The dashboards are the most valuable feature. We like the ability to drill in and see what queries are under the dashboard, build new visualizations, edit the querying, and see the reports. The dashboards are very intuitive and similar to SQL. They are easy to set up and get running.
View full review »The ability to create dashboards.
You can run reports against multiple devices at the same time. You are able to troubleshoot a single application on a thousand servers. You can do this with a single query, since it is very easy to do.
View full review »SO
Sam Osborn
Software Engineer at Tableau Software
Being able to search across all the different production environments at the same time, then being able to do search queries to scope out specific environments, specific components, or specific logs from different languages, such as Java or C++. Thus, being able to have really fine grain control on log searching is really good.
Out-of-the-box, it seems very powerful.
View full review »We like the dashboard creation and the ease with which we can harness the APIs to create custom BI dashboards on the fly. This adds most value for us. The nature of some of our microservices that I have run on the cloud are mixed workloads, wherein with the flow of data, it can change over time. In order to adjust for this, and cater to the needs of some of our internal customers, BI dashboards need to be created, tweaked, and modified. Also, doing this by hand is next to impossible. Therefore, we have strung all of this through a programmatic pipeline, which s something which we like because it is easier for us to harness it utilizing the API.
View full review »KB
Kenn Brodhagen
DevOps Engineer at Amplify Education, Inc.
Its usability is the best part. It is easy for our developers to use if they want to search their logs, etc.
View full review »GM
Gavan McLaughlin
Application Engineer at Expedia
The most valuable feature is its centralized log analytics.
View full review »TJ
Tomi Juslin
QA Lead at a financial services firm with 501-1,000 employees
It provides logs in one place, so they are easy to find. It collects the logs from multiple places, then you have just one place where you see the whole flow from the front-end to the back-end. This is the best thing.
View full review »JC
Jerry Castille
Chief Architect at PathMaker Group
It has a big user base, so the community is useful.
View full review »- Easy indexing.
- The solution is faster.
- The product is adept at log mining.
- It has the flexibility to do multiple analyses.
- It works across heterogeneous environments in different ways.
RB
Roman Burdakov
Engineering Manager at Cengage Learning
There are a lot of plugins to integrate this. The client site login is pretty extensible and probably cost-effective. Plus, it is easy to configure.
View full review »The most valuable features are understanding the visualization compass on the dashboard, as well as the reports on the dashboards.
The auto-notification abilities are a huge benefit for us.
View full review »OS
Omar Sánchez (Mr.Tech)
Information Security Advisor, CISO & CIO, Docutek Services at Docutek Services
The dashboard centralizes the daily routine. We used to do this by hand. Now, we go through daily checklists, using the dashboard and setting up the alarms. It helps us to cut down the time on this routine.
I am a cybersecurity director. I manage five different business lines. Every morning, we used to have to go to different tools to get our daily routines done. With Splunk, centralized as it is, we can see everything in one place. We use it not only for monitoring events, but in case we need to do a group call. We can see what's going on, viewing all of the offenses and security events which are happening in our infrastructure.
View full review »- Drill down
- Apps
- REST API
- Software development kits
- Architecture
- Replication capabilities
- The easy automatic field parsing of logs.
- Data model acceleration
- The ability to easily have access and install Splunk add-on plugins and custom apps. This greatly assists with using it to connect to various systems easily and use it as a centralized data sink.
UBA, User Behavior Analytics.
View full review »The following are top three features that I find quite valuable:
- Capability to expand the functionality through custom code for data inputs, commands, visualization, alerts, and machine learning.
- Quick turnaround time for setting up monitoring and alerting with built-in capabilities, plenty of enterprise grade apps available on Splunkbase, and custom coding based on Splunk development skill level.
- Free Splunk license for PoCs on personal machines and the ability to scale the PoC to an enterprise level app.
Search and Dashboarding: Allows us to quickly search for an error and plot the results on a chart.
View full review »Splunk's ability to receive all types of data and identify it correctly. It obtains a correlation of the logs and identifies incidents.
View full review »The search application has been the most useful. We have also liked the reporting features and dashboard capabilities.
View full review »The best features would have to be the ability to ingest any data and display it in a way that anyone can understand.
View full review »Its huge, versatile AppBase helped me to configure and bring data from different sources to a unified platform.
View full review »- Regex for fields creation is great.
- High availability
- Easy to use in any environment.
RM
Rajesh Mandale
Splunker at freelancer
There are too many features to list, but here are a few:
- Schema on the fly
- Ease of onboarding data
- Machine learning
- Apps or Splunkbase.
- Great list of apps to use and build upon once you learn more about how Splunk works.
- Ease of correlation, creating correlation searches (easy), and you can combine multiple sources with little effort.
- Data Models Acceleration for super fast searches across tens of millions of events.
- Common Information Model
- Security Essentials App
- Enterprise Security
- Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities.
- Log storage or compression is great and retention is not an issue.
- Dashboards are simple to create and has input options, like time range and text.
- Drop-downs are simple to create.
- The integration with cloud solutions is great and keeps getting better.
The correlation searches (properly configured) populate the Incident Management dashboard and provide me a quick birds-eye view of my most important concerns.
View full review »Splunk's schema on demand is incredibly useful. I do not have to worry about what my users will need when we onboard their data. They can make connections that we could not have foreseen. They dig deeper when they are searching.
View full review »MK
Michael Kaericher
Senior Consultant at Securian Financial Group
Low barrier to start searching with the ability to normalize data on the fly.
I have also been able to take advantage of some of the more complex statistical capabilities when analyzing logs.
View full review »CM
Christopher Mooney
Incident Manager at CyberCore Technologies
The ability to manipulate data in Splunk is unparalleled. Splunk’s powerful, flexible query language can morph difficult to understand log formats into usable data.
Correlating data across different systems via one interface will allow you to know your environment or identify incident data in ways you never imagined.
View full review »GS
Gangikunta Somanath
Principal Engineer at Publix Super Markets
The most valuable features are:
- Risk analysis
- Machine Learning Toolkit
- dbConnect
- Cisco products
- eStreamer
- SIEM.
Visualizations are the best way to understand deviation techniques from the norm.
View full review »The search language is easy to understand and teach to new users. The SDK is comprehensive and has incredible levels of integration with the platform and data.
View full review »So many of Splunk's features are invaluable to us:
- Machine and business data retention
- Solid HA and distribution
- Adaptability to custom data
- Search, Search, Search.
It brings together all sorts of data. It has the ability to correlate data, analyze and review it. This makes weekly ops reviews and monthly executive management reporting much easier by saving hours of collecting data. Report automation has been a life saver.
View full review »It is ease to integrate with other solutions, like Slack, JIRA, Remedy, etc.
View full review »CM
Clara Merriman
Business Intelligence Engineer at SONIFI Solutions, Inc.
Splunk is extremely flexible, which allows us to create custom visualizations along with other customizations. The flexibility of Splunk as well as the resources available for learning and support are the best in the business.
View full review »RP
Robert Pollard
Director of IT at BLUE LAKE RANCHERIA
Aggregation searches, allowing for conditions to be automatically found in the data, have reduced time and difficulty of identifying trends and conditions which need to reviewed.
CJ
Colin Jackson, CISSP, MMIS, GMON
Information Security Engineer/Architect at The Church of Jesus Christ of Latter-day Saints
- Unstructured data
- Linking things together
- Building out stuff which is actionable.
Once you learn SPL and what data you need to obtain and merge together, it is really useful.
View full review »Personally, I like the capability of removing sensitive data before it goes into Splunk. I also like the ease with which dashboards can be created.
It has a low barrier to entry, but it is extremely extensible, allowing it to be tailored to highly specific use cases. It makes searching through a wider variety of logs much quicker and enables you to correlate events from one log to another.
View full review »Integrity with many vendors: This simplifies the implementation and integration with different devices.
MA
MS Alam
System Administrator at Abdullah Al-Othaim Markets
Searches logs from all devices and gives valuable information to the organisation, so it can drill down on all reports and security threats.
View full review »The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time. The added security has proven effective as well, but given that we have not yet created the perfect model, we still find ourselves striving to develop a more efficient and predictive security analysis and action plan within Splunk.
View full review »Deployment server for deploying changes in one go.
View full review »There are too many features to list, but here are a few:
- Schema on the fly
- Ease of on-boarding data
- Machine learning
- Apps or Splunk base.
- Great list of apps to use and also build upon once you learn more about how Splunk works.
- We build many of our own apps by leveraging the logic in the others.
- Ease of correlation, creating correlation searches are easy and you can combine multiple sources with little effort
- Data Models Acceleration for super fast searches across tens of millions of events
- Common Information Model
- Security Essentials App
- Enterprise Security
- Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities
- Log storage or compression is great and retention is not an issue
- Dashboards are simple to create and the input options like Time Range, Text
- Drop-downs are simple to create.
- Integration with cloud solutions is great and keeps getting better.
- Can get info from rest API’s easily and there are apps for services like ServiceNow, Azure, Office365, etc.
Splunk has great interoperability with other applications through their SplunkBase app store. The apps can quickly provide visibility and streamline complex data mining tasks.
View full review »Splunk Enterprise Security is most valuable, my clients use it as a SIEM solution. Splunk gives them the ability to bring multiple, disparate types of data together, then correlate and report on them.
View full review »Splunk's capability to receive any types of logs and index them is a very good feature. To get visibility from your network devices, servers, and security devices is a great feature.
View full review »Splunk can be seen as a huge box that allows the storage of all sorts of logs. This allows the centralization of data and makes possible new sorts of correlations that were previously impossible using traditional SIEMs such as ArcSight or QRadar. Splunk allow schema on the fly and therefore simplifies all the data onboarding process. All that leads to flexibility when it comes to defining the metadata since it is not necessary to have all the fields defined and extracted to be able to use Splunk.
Another great feature is the field extractor that allows persons with little or no experience with Regex to define fields and extract valuable information from the data.
Finally, the ability to connect with various sorts of databases, NoSQL solutions, makes it a very powerful tool, not only as a SIEM but also as a datalake for machine learning and data analysis.
View full review »Splunk has a single purpose in life: ingest machine data and help analyze and visualize that data. The breadth of the data sources that Splunk can ingest data from is broad and deep and it does an exemplary job at handling structured data. It does a great job at handling unstructured data. Breaking data into key/value pairs so that it can be searched is relatively painless.
View full review »The ability to rapidly diagnose problems in production and non-production, across hundreds of log files, is the most valuable feature.
View full review »- The speed of the search engine
- All the types of data sources that you configure can be forwarded to Splunk.
- The ease-of-use
JN
jorgenoguerah
IT Infrastructure Architect at a tech company with 201-500 employees
- Event matching between several appliances
- Correlating data from different sources
- Report viewer
- Splunk delivers a holistic view of an application (the big picture).
- Splunk provides immediate visibility into key business metrics and new business insights that deliver immediate value.
- Significant reduction in mean-time-to-investigate (MTTI) and mean-time-to-resolve (MTTR) production incidents from days to hours.
- Splunk visualization capabilities help pinpoint problem areas, spikes, and anomalies easier and faster.
- Ability to monitor and resolve integration problems before they impact the business user area.
- Splunk is being used as part of the development life cycle, resulting in better quality and more efficient applications.
- Provides additional insights into a 360 degree view of the customer.
The analytics and querying the indices is super easy.
The data representation options in the dashboards are excellent.
Multiple datasource/filetypes are supported and each can be customized in a few clicks.
View full review »- Flexibility when creating dashboards
- Automated cron searches
- Real-time and scheduled searches with alternate functionalities
- User-base integration with LDAP
They provide excellent predefined user cases.
View full review »- Collects data from any source
- Powerful search, analysis, and visualization
- Easy to build system on any platform
- API and easily integrated search
- Action script
Rapid search is a valuable feature. Performance and incident response were the top priorities for most MSSPs. Breaches of SLAs will have a negative impact on customer trust, which eventually leads to losing customer confidence on services to which they’re subscribing. Hence, the proactive approaches will be the main differentiator from one MSSP to the others.
View full review »- Can ingest data from various data sources.
- Is very useful for organizations who are attempting to meet compliance requirements.
- Is able to fully configure and integrate various solutions into one tool and provide actionable results.
Splunk's schema-on-read technology is one of the most valuable characteristics of this solution. It allows us to store raw data and use it repeatedly for different domains. You don't need to prepare the data upfront.
Splunk's Search Processing Language (SPL) is another beneficial feature. It is a very powerful tool that gives you the ability to do almost anything with your data.
View full review »What Splunk calls operational intelligence: fast availability of operational data spread across several servers to prevent or react faster to outages or performance decreases.
View full review »Its performance, scalability and most importantly the innovative way of collecting and presenting data.
Fast search! Imagine a scenario with an application environment where a couple of modules are based at a different servers. There is a system issue and a check needs to be completed in a timely manner. Traditionally engineers would have to login to the servers, navigate to different folders and load the log files to check for errors. Splunk can give this at a glance for all of the systems at once! Furthermore a “trap” of known errors could be saved and a real time alert setup to send an email in a meaningful way with relevant details (e.g. priority, affected systems) and instructions what needs to be done next.
View full review »VS
Vinod Shankar
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Great Log management capabilities with flexible and comprehensive search capabilities. Scalable and Easy to use.
View full review »
Splunk – ease of searching large amounts of data.
View full review »
The Splunk user community and forum are most valuable.
View full review »SA
Samer Amr
CyberSecurity Consultant at Information Technology Solutions- ITS
The solution is very fast and succinct.
View full review »The solution allows easy gathering and ingestion of the data.
View full review »The data analysis part is good in Splunk, which is something that I like the most. It is also quite easy to use. Its dashboards, visualizations, and analytics are good.
View full review »Buyer's Guide
Splunk Enterprise Security
June 2025

Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: June 2025.
861,803 professionals have used our research since 2012.