Splunk Enterprise Security Reviews

I am currently using Splunk Enterprise Security to gather various infrastructure metrics. This includes data from SQL databases, Oracle databases, applications, and APIs. All of this data is collected and sent to a Kafka stream, using a connector to feed it into Splunk. My responsibility is to analyze this data to meet observability requirements. For example, I need to visualize the data from Oracle databases and other applications to identify issues. Depending on the metrics, I aim to pinpoint servers that may be experiencing problems, such as high CPU usage, disk issues, or memory overload. By analyzing the Splunk dashboard, I can quickly identify the problematic server.

I am focused on creating a Splunk dashboard that allows users to easily identify issues at a glance. This will enable users or operations teams to promptly address any server problems. My work also involves using Excel queries and other tools to enhance this process.

I am also working on anomaly detection for one of the services we have, but that is just beginning. We have just started with the anomaly detection part where machine learning can be utilized, but it is still in POC work.

The best feature I've seen is the ability to easily change the query based on the dashboard or based on the chart we have to create, allowing any value or metric we want to add to that particular chart while keeping the rest of the dashboard settings intact. However, it's worth noting that Splunk Enterprise Security does not accommodate data from various products as Tableau does because Splunk Enterprise Security is primarily focused on infrastructure and application metrics.

Last week, while I was creating a dashboard, I encountered a feature known as cascading filters. This feature allows one filter's input to depend on another filter. For example, if you select two filters, such as Asia and Europe, the country filter should update to include the countries from both continents. However, achieving this in the dashboard was not directly possible due to certain limitations of Splunk XML, particularly in the simple dashboard I'm using. While cascading filters can be implemented in the advanced Splunk Dashboard Studio, the XML option has its constraints. I found some online resources suggesting the use of advanced JavaScript or lookup files to work around these limitations. However, relying on advanced JavaScript may not be feasible for users without experience in that area, and utilizing lookup files isn't practical at this stage of the project.

The optimization of filters, which is easily achievable in software like Tableau, is not as straightforward in Splunk XML. The client expressed a requirement for this functionality, and unfortunately, we currently need to either use lookup files, delve into advanced JavaScript or XML, or create a new dashboard using the Dashboard Studio, which is the advanced version of Splunk.

I have been working with Splunk Enterprise Security for three months since I recently joined the Wipro organization and got enrolled in this project where they utilize Splunk Enterprise Security. 

Splunk Enterprise Security was already implemented when I started working at my current company. I got onboarded to the project where they wanted data analysis skills, and they selected me because I had previous skills in Tableau for visualization purposes, and they needed someone who could visualize infrastructure metrics. They brought me into their project as a Splunk Enterprise Security observability analyst.

Splunk Enterprise Security is quite stable, and I have never experienced a breakdown with it. Sometimes, I only need to refresh the dashboard or refresh the URL from the browser, and everything resets. In terms of stability, everything we update in UAT or development reflects quickly, and I haven't encountered significant issues with the stability of Splunk Enterprise Security.

I can rate Splunk Enterprise Security a seven out of ten in terms of scalability because it is purposefully designed for logs and metrics.

I haven't had discussions with technical support for Splunk Enterprise Security as I've never needed to escalate issues. There is a separate team for Splunk Enterprise Security administration on the project, but I've had very little direct interaction with them.

I referred to documents and guides that were included in the project guidelines. Additionally, for creating dashboards, I primarily used YouTube videos as reference.

I was a data analyst in my previous organization where I utilized Tableau, so I am familiar with its benefits and can differentiate between the capabilities of both UIs. Splunk Enterprise Security is limited to metrics, traces, and logs data, whereas Tableau can handle any kind of data. This leads to a similar brainstorming process for various visualization needs. When it comes to Tableau and the healthcare industry, we encounter different kinds of data related to aspects such as insurance, patient information, and diseases. If we look at cloud products, we find that there are various offerings associated with the cloud. The dashboards created for these products are designed based on cloud data. For example, in the automotive industry, we observe a different approach. In Splunk Enterprise Security, we tend to focus on a single type of data. In contrast, Tableau, Power BI, and other tools allow us to utilize various types of data to address different types of problems more effectively.

Splunk Enterprise Security is much more feasible as it is directly connected within the cloud servers, and whatever charts or dashboards we have to create can be easily tracked and created compared to Tableau. Some useful features from Tableau, such as cascading filters, are not available in the Splunk XML dashboards. In Splunk Enterprise Security, we use two types of dashboards: Dashboard Studio and simple XML Studio, with some limitations in the simple XML dashboard.

My team has used the risk-based alerting feature of Splunk Enterprise Security. We recently discussed the alerting system concerning particular servers that can be triggered after assessing the risk, so that particular email or any generated data, charts, or everything associated, could be directly sent to the respective POCs. It will help in prioritizing security incidents for my team because there is another team utilizing this feature, allowing people to recognize which data or server is experiencing problematic issues, which helps enhance server inspection without always referencing the dashboard. Every morning, at a selected time based on the time zone, individuals can identify which server has a problem.

I would rate Splunk Enterprise Security a six out of ten.

There are a thousand use cases covered. Splunk Enterprise Security covers the MITRE ATT&CK framework for initial access, remote executions with malicious codes, and many other attack vectors. All use cases are covered by MITRE ATT&CK, including initial access, executions, discovery, and credential access.

When I compare it to different SIEM solutions, Splunk Enterprise Security has incident management and a threat intelligence component that is native and not limited the way different SIEM solutions are. It also has scoring features, including user scoring and correlations that the normal Splunk Enterprise doesn't have. In Enterprise, you have detection mapping to the MITRE ATT&CK framework. The GUI is very easy to use, and by using SPL, you can find or mine data easily. You can create custom dashboards. These are many benefits when compared with IBM QRadar or FortiSIEM for on-premises SIEM solutions.

However, this solution is for enterprise companies, not for small or medium businesses. Splunk Enterprise Security has many integrations and connectors that are easy to use when compared with IBM QRadar or normal Splunk Enterprise.

The price is a significant concern. It is expensive and is designed for enterprise companies, not for small or medium-sized companies.

Another area for improvement is the machine learning capabilities. There is no native AI or machine learning in Splunk when compared with different SIEM solutions. While it is there, it requires manual setup.

I have been working with Splunk for two years.

There are no stability challenges. Even when creating a report, incident, or dashboard, or when parsing data, everything functions very smoothly. There are no challenges that I have observed.

It is easy to scale. You can deploy it in containers or directly on-premises. It can also be used in the cloud. However, for distribution, you need some experience if you are running indexers and search heads. If you install it as an all-in-one solution, it is fine, and anyone can install it.

The customer service is helpful. Even if you face something that does not have a direct solution, you can create a workaround. Issues are resolved on time.

I deployed QRadar and Wazuh before.

The initial setup does not take too much time. It can be completed quickly when compared with another product. The setup takes approximately 80 minutes.

We are an MSSP, and we perform POCs or production implementations and recommendations for some customers. We are also a partner with Splunk. I am working with Cisco, and Cisco is a partner with Splunk.

For ROI measurement, I integrated Splunk with FortiSOAR. In FortiSOAR, I can calculate the ROI and the time for closing alerts. However, I have not tried this within Splunk itself.

For threat detection, I integrated Splunk with MDE and Falcon. For normal threat detection, you can enable threat feeds from MISP or SOCRadar to create rules and check if events have any malicious IOCs to trigger alerts.

FortiSOAR and XSOAR are also alternative solutions.

Even if you face something that does not have a direct solution, you can create a workaround. Issues are resolved on time. Splunk uses a very customizable SPL language. You can search easily, and for me, it is better than EQL in Sentinel or IBM QRadar. I would rate this product a 10.

I have created various correlation searches to develop use cases for detecting security threats. For example, I have created use cases to identify brute force attacks, unauthorized access, denial of service attacks, and distributed denial of service attacks. To date, I have developed a total of 190 use cases for our environment using Splunk Enterprise Security.

The end-to-end visibility provided by Splunk Enterprise Security is crucial. Its user-friendly interface makes it easy to navigate and configure. The intuitive options allow for simple customization, enabling users to easily select and configure settings. This feature, combined with the excellent support from the Splunk team, makes it a valuable tool for addressing enterprise security issues and creating or modifying use cases.

Splunk's website provides a variety of simple commands for identifying security events. These commands and pre-built security fields make it easy to detect real-time attacks, monitor environments, and identify security threats. Splunk offers a more straightforward and efficient approach than other monitoring tools.

Splunk automatically ingests and normalizes data, eliminating the need for human intervention. When data is ingested, it is automatically converted into index-friendly formats within most source pipes.

The MITRE ATT&CK framework is a valuable tool for security teams, and its integration with Splunk Enterprise Security offers significant benefits. By mapping specific MITRE ATT&CK tactics to Splunk use cases, analysts can quickly identify the root cause of security incidents and access relevant information for remediation. For example, if a brute force attack occurs, an analyst reviewing the incident can quickly determine the corresponding MITRE ATT&CK tactic and access detailed information about the attack, including potential solutions, mitigation strategies, and potential future actions. This seamless integration between MITRE ATT&CK and Splunk empowers security teams to respond to threats more effectively and efficiently.

Splunk has significantly enhanced my business resilience and problem-solving capabilities. Due to the urgency of different issues, there are four types of Splunk support cases: P1, P2, P3, and P4. P1 cases are incredibly critical and require immediate attention. If a business-critical issue arises, I can open a P1 case, and the Splunk support team will respond within 15 minutes. This rapid response has enabled me to resolve critical issues promptly. For P2 cases, the support team typically connects within two to three hours. P3 cases receive a response within 24 hours. Overall, the Splunk support team consistently resolves issues efficiently.

After deploying the use case, we immediately observed the benefits of Splunk Enterprise Security. We can instantly monitor enterprise security use cases in our environment without delay. However, as a precautionary measure, we deploy use cases and monitor them for seven days. If the use case does not generate excessive noise within this period, we deploy it to the final environment. Otherwise, we refrain from deployment. Splunk's capability allows us to deploy use cases within seconds.

Splunk helps me consolidate all the data, such as networking and cyber security data. If there are other types, such as behaviour analysis, we can perform them with the help of Splunk. But I'm mainly in the cyber security field, so I am more concerned with Splunk for cyber security data only. For example, in my PhD, I created my thesis based on medical performance monitoring. I monitor the performance health condition of one million people with the help of Splunk. So, this is not a cybersecurity use case I'm creating there. I monitor the health condition with the help of a Splunk Enterprise. If a health condition is significant, the alert immediately goes to the doctor, physician, and their relative.

My alert volume has decreased significantly. Splunk is a machine that generates alerts based on specific use cases or service queries. Before implementing a new use case or alert, we must analyze how many alerts it will trigger. If it generates fewer than one alert per day, it's acceptable. However, I will only deploy it if it generates one daily alert. This approach allows me to reduce the alert volume effectively using Splunk Enterprise Security.

Splunk streamlined my security investigations by consolidating logs into a single repository. The Splunk community provided invaluable assistance, enabling me to quickly find answers to my security-related questions and address concerns promptly. By leveraging the collective knowledge of the global community, I expedited my security processes and enhanced overall security measures.

Splunk reduces the mean time to resolve because it enables L1 SOC analysts to view relevant data in the power role field directly. For example, when a brute force attack alert triggers, analysts can easily see the source IP, time of the alert, user, destination IP, and other critical fields. This immediate access to information allows for swift preventive measures, countermeasures, and efficient resolution of cybersecurity issues. Splunk's clear and intuitive interface empowers even junior analysts with only one year of experience to effectively apply their knowledge and address security challenges.

The two features I like most in Splunk Enterprise Security are the content management system and the inter-incident review dashboard. The incident review dashboard allows us to directly view significant events triggered by the use cases I've configured within the content management system.

I suggest that Splunk provide the same resources on its platform, as on other websites through Google. For instance, they could offer pre-built search queries for everyday use cases like brute force attacks, DDoS attacks, and other security threats. These queries would be generated based on my specific data, saving me the time and effort of creating them manually. This would be incredibly beneficial and align with the AI capabilities already present in Splunk Enterprise Security.

I have been using Splunk Enterprise Security for eight years.

In the eight years I have used Splunk Enterprise Security, I have experienced no stability issues. There has been no downtime or crashing. The only problems I have encountered were temporary interruptions in some features, lasting approximately 15 minutes.

Splunk Enterprise Security is highly scalable. For example, I currently have one terabyte of data to deploy, and tomorrow, I need to deploy ten terabytes. In that case, the system can easily accommodate the increased load without compromising performance. It is extremely fast and efficient, ensuring no issues even as the input data volume grows. The system adjusts quickly to meet the demands of expanding data requirements.

I have contacted Splunk technical support three times in the past fifteen days due to various issues encountered while using Splunk. Each time I reached out, they responded promptly and assisted me in resolving the problems.

Positive

I have used several alternatives to Splunk, such as AppDynamics, Dynatrace, and Oracle Enterprise Manager. However, I have found Splunk Enterprise and Splunk Enterprise Security the most effective tools for my needs. These platforms are easy to use, allowing for flexible parameter customization and dynamic adjustments to meet specific requirements.

The initial deployment of Splunk Enterprise Security was straightforward due to my prior experience learning and using various tools. I found it to be significantly easier to implement than similar software.

I set up my lab independently, being new to the environment at the time and eager to learn. I visited the Splunk website and discovered the free courses they offer. Using these courses, I successfully configured my lab. Splunk provides valuable assistance for setting up personal labs and offers a 60-day trial version. This version allows for direct log setup and hands-on practice of Splunk skills without cost.

Splunk Enterprise Security's pricing is competitive. For instance, the cost typically increases proportionally with the daily license volume. For example, purchasing a 100 GB license per day is less expensive than buying one GB per day. A discount is offered for larger volume purchases.

I would rate Splunk Enterprise Security eight out of ten.

The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

The most valuable features include the incident review and Dashboard Studio. My job involves building dashboards, so it's easy to visualize and explain the environment using Dashboard Studio. 

Incident review with my SOC job helps me check all the incidents and alerts coming in.

Having analysts put their notes directly within the investigation feature in the incident review would be beneficial. To make notes. 

We have to go to multiple tabs for each dashboard, for each incident, or each application within Splunk, so if there is a way to consolidate all the tabs or everything into one app for that particular organization where an analyst could just click on that and everything is there. That would be a really good feature.  

I've been using Splunk for about five years now. I started at my previous job right after my master's. I was working for Santander Bank, where I used Splunk extensively for three years. I was a SOC analyst there.

Now at the current company, I've been here for about a year, so I've been using it here as well.

Cisco being Cisco, just bought Splunk. I would give it some more time to see how things go. 

Prior to Splunk's acquisition by Cisco, Splunk was really good. 

Overall, the customer service and support were very good. At times, we had difficulties reaching out for your questions but most of the time, they were answered. Due to the time constraints, we had just 100 hours working with the consultant. So some things kind of took some time with that.

Positive

When I joined this current company, they had Rapid7. It was horrendous and horrible. It was not easy to use. I'm kind of partial to Splunk because I started off with Splunk, so, we switched. 

I joined last July and asked my manager about the current solutions. He was not happy with how Rapid7 was working either. We evaluated different vendors, including Microsoft Defender and Sentinel. My preference for Splunk played a role in our decision.

We had a consultant for the integration process. They were very helpful. We had a consultant named Sayed who guided us through the process. They provided step-by-step instructions (kinda baby steps), walked us through analytics and restoring, and different aspects of Splunk. It was a really helpful experience.

It's only been about two and a half to three months. It's still fairly new to our environment. I would give it three to four more months before assessing ROI.

We evaluated Sentinel, Palo Alto, and Splunk, along with Rapid7, which was already in the environment. So, we evaluated these four options. 

Splunk gave us the opportunity to take in or put in the logs whatever we wanted and plug in different applications, whichever we wanted to have the visibility. 

We didn't have that flexibility with Palo Alto and Sentinel. We didn't have the investigation ease with the others; the investigation ease within Splunk is very easy. 

I could build an SQL query within a minute, or I could just open up different documents to have it right there. But if I go to Palo Alto, it's not there. 

Defender was quite a good competition. Like Sentinel, it was a good competition, but Splunk stopped where the investigation time was considerably less compared to Sentinel.

Overall, I would rate it a nine out of ten because we haven't integrated a lot of applications like SOAR and stuff. Once we have everything in place, it might be a ten. But right now, I would go with a nine.

I use other types of security solutions that integrate or import data into Splunk Enterprise Security, such as EDRs, firewalls, and other security products. The integration supports my security operations by providing one clear view of threat detections from firewalls and imported data.

The features of Splunk Enterprise Security that I appreciate the most are out-of-the-box detections. These features have benefited my organization because it's a product we sell, and we sell detecting threats in the organization.The features have benefited the organizations I sell to because without them a lot would have been self-programmed, and they support us in very different ways.

It's difficult to answer how Splunk Enterprise Security can be improved because I'm hearing AI mentioned frequently in the keynote. It's definitely out there and it's improving the whole process. I think that a lot of effort is going into the realization of AI, but some effort is left out because they don't always mention that the outcome has to always be verified. You just say, 'Ask AI to narrow down the threats, show me how to write an email, summarize it up,' but the additional process that comes with it is verifying it all. Maybe question it, and sometimes it's wrong and you have to start over. I think improving it would be either having different AI responses to cover more, or always having to verify the user, not relying on an answer.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are not in the product; they're in the human aspect. Writing the query and knowing what to search for is not a product problem.

I have been using Splunk Enterprise Security for two years.

I would evaluate customer service and technical support for Splunk Enterprise Security as good on a scale of one to 10.

Positive

My experience with pricing, setup cost, and licensing is that it's expensive.

I think the value of Splunk Enterprise Security is there, but it is one of the most expensive solutions on the market.

My organization uses risk-based alerting in Splunk Enterprise Security, which supports our SOC by negating through false positives. On a scale of one to 10, I would rate Splunk Enterprise Security an eight.

I work in the pharma industry, and I use Splunk to aggregate all my reporting logs for my firewall and Active Directory logs. We have anti-spam, web application firewalls, and other solutions to secure our perimeter. We use Splunk for log management and have a stack to transpose a log from the firewall to a VM. When we directly feed the firewall logs to Splunk, they become intermittent and freeze. 

The biggest benefit is that we can manage all the logs from every device on a single dashboard. I can put the log from the core system into Splunk to analyze for abnormal behavior and show that to the developer to improve it. Splunk can also analyze our security devices for security posture for CRM and ISO requirements, helping the organization obtain its ISO certificates.

We started to see the benefits of Splunk when we created our first dashboard. Based on the dashboard information, we can get deep insights from the log, where we define a security incident or event and assign a score to repetitive events. For example, we receive brute force attacks, where the hacker attempts to try a thousand or a million passwords. This will trigger alerts on the dashboard or email. We are not monitoring 24/7, so we can get alerts from Splunk. We can detect threats faster from firewalls and antivirus. 

The consolidation helps us identify the source of the threat faster. They can analyze the forensics to dig into information from the log and correlate the devices. A unified log from various devices can simplify the IT team's response and reduce the alert volume by 35 percent. 

Splunk can deliver more information by going deeper. By creating a dashboard, we can identify the root cause of the threat. Let's say I have a firewall from Check Point. Splunk will find the dashboard for Check Point, implement it in our environment, and connect it to the Check Point firewall logs, which are shown on the dashboard. If we request a custom dashboard, the engineer will take longer to complete the task. 

I can create a custom dashboard for the firewall, antivirus, or endpoint protection. This will take time to complete because they need to understand the log type and mitigation of the process from the system or API.

Splunk helps us manage our hybrid environment, including our email system. The main email system is Microsoft Exchange, which is deployed on-premise, and the second is Office 365. There isn't much security for the hybrid environment. We get logs from the web application firewall, the firewall, and the anti-spam solution. 

Splunk should align its security principles with those of other vendors like SentinelOne. Splunk has mature APIs that can communicate with various security applications and devices. Splunk can process more to produce an understandable dashboard.

Splunk's latest version is much better than before. It's more resilient and powered by AI. It can ingest more complex logs. It will be better because we're using the legacy one.

I have used Splunk for around six years.

I rate Splunk 10 out of 10 for stability. We've had no problems as long as we ensure we have capacity planning for the log system, which is growing every second. 

I rate Splunk nine out of 10 for scalability. 

I rate Splunk support eight out of 10. Support was great, and they responded quickly. 

Positive

Splunk is our first SIEM, but we'd like to explore Wazuh more.

It's hard to say whether deploying Splunk was straightforward or complex because sometimes the consultant did the work for us. I handled the operations side, and the consultant did the project itself. It was completed in two days. 

Splunk is expensive. It's based on the data inside the log. If you produce bigger logs, the cost goes up. We pay a license up to a set size, let's say 100 gigabytes, and if we have 101, they charge us for the overage. We pay about a billion Indonesian rupiah. 

There are many cheaper solutions. Microsoft Sentinel is also a little expensive, but there are cheaper ones like Wazuh, Graylog, and Rapid7.

I rate Splunk Enterprise Security nine out of 10. If you want to use Splunk, you can try the free version, which goes up to half a gig. You can feed a log from the Active Directory. If you take that information directly from Active Directory, it will be hard to read. Splunk provides a good dashboard. 

Splunk is an excellent choice for an organization that needs a fully scalable and highly customizable solution. We can customize the dashboard to combine all the device logs. Unfortunately, others still need to learn how to do that. It depends on an organization's needs and resources because it's not cheap.

It's on the higher end of pricing, which can be a significant factor for small organizations with budget constraints. It's more appropriate for the enterprise level and companies with over 500 employees. 

We are using the SIEM platform in our security operations center. We use it both for internal purposes, for monitoring the alerts coming from our network, as well as we have built security operation center services for our B2B customers. We are using QRadar, Splunk Enterprise Security, and more recently, we have added Elastic on top of it.

The features of Splunk Enterprise Security that I find the most useful include the event collector and the tool for analyzing the incidents. The dashboard that we use summarizes the alerts within a certain period of time. The customizable dashboard feature helps to improve the team's decision-making skills because it provides us with a clear image of the types of events that we have within a month, and we are able to classify them based on severity.

I do not really have any additional features that I would want to see in Splunk Enterprise Security. The ticketing platform could be improved. We are using our own ticketing platform right now, but we have integrated it into Splunk Enterprise Security to communicate and report back to our customers on the events to have constant interaction.

I have been working with Splunk Enterprise Security for more than five years.

I have not faced any issues with stability or upgrades so far.

Splunk Enterprise Security is easy to scale for scalability. We onboard more and more endpoints from our customer infrastructure without any issues scaling it up.

We provide the Splunk Enterprise Security Threat Intelligence framework as a level three service for hunting and deeper inspection. We aggregate everything into a threat intelligence platform and provide feedback to our customers on their events.

Positive

Splunk Enterprise Security is quite easy to set up, especially the on-premises solution.

I have contacted Splunk Enterprise Security support for issues through a local partner that we work with. They provide the first level of support and in case there is a problem with the platform, they escalate it to the vendor.

Since implementing Splunk Enterprise Security, I have seen a return on investment. It is primarily a safety tool, so we do not expect a return on investment, but since we use the platform as an MSSP partner for Splunk Enterprise Security, we incur revenues for the services that we provide to our customers. We had a business case and the TCO looks quite acceptable.

Splunk Enterprise Security is reasonably priced compared to other platforms, and the licensing model is quite flexible. Based on the gigabyte of data that we ingest on a daily basis, it is quite well positioned in the market.

The event collector has been useful for us to gather logs from our customer's infrastructure. We have VPN connections with our customers, and we use the event collector to gather data from their network devices and incorporate it into the SIEM platform for further analysis.

The integration of Splunk Enterprise Security with our existing security infrastructure has influenced our threat detection capabilities as we use it as an independent tool. We have other security tools in place, such as firewalls from FortiGate, from Fortinet. We have some endpoint protection solutions, but we have integrated everything into the Splunk Enterprise Security platform. We use it as an XDR platform to collect logs from different sources, from clouds, from active directory, from endpoints, from routers, from firewalls, from all the points in our customer's infrastructure.

For the time being, we are quite satisfied with Splunk Enterprise Security. We are waiting for the AI engine to get more mature and to use it more extensively.

I would rate Splunk Enterprise Security a nine out of ten.

I am on the intelligent engineering team responsible for onboarding logs and operationalizing Splunk Enterprise. We have a separate team for creating use cases and other stuff. I onboard logs and manage the infrastructure. When you onboard various logs, it creates different data models and normalizes the fields for compliance.

We have created a few custom use cases for Splunk that have helped us detect threats faster. For example, we set up endpoint-related data models and specialized setups for various scenarios. It's more efficient than some other products I've used. 

Splunk has sped up our security investigations. We can automate some functions using playbooks, like automating scans for perimeter vulnerability. If you have the signatures, Splunk can intervene automatically to block threats according to the playbook. 

Splunk lets us integrate multiple third-party threat intelligence feeds. We can also customize the data models for correlation more than we could with competing SIEM solutions. We can filter out the noise and see our alerts. 

I created some security reports or dashboards. We also have dashboards for user requests related to our firewalls, like Palo Alto and traffic or activity alerts. We can also see where we're getting a lot of authentication failures, etc. We've also created some other custom use cases, like using VPN logs and use cases for analyzing the national origins of repetitive malware. We have integrated some other solutions like Carbon Black EDR or MDR as well as Vectra, which is fully automated with AI. They have their own signatures.

We get decent visibility with Splunk and integration with data visualization tools like Grafana. We also have various threat intelligence feeds that are updated regularly with the latest IOCs and signatures, which we can use for threat hunting. 

The access and identity features could be improved. For example, let's say we have onboarded 65 logs. Now, we can identify the various processes, but we run into trouble when we're updating the processes for AWS CloudTrail, EDR, MDR, and XDR. 

I have used Splunk for the past three or four years. 

Splunk is stable. It has around 97 percent uptime in my environment. 

I rate Splunk Enterprise Security nine out of 10 for scalability. 

I rate Splunk technical support seven out of 10. We rarely rely on Splunk support except for critical upgrades and migrations. Sometimes, we open a ticket if we see a performance problem, and they find a solution. Typically, we find a solution for our issues online in user forums or knowledge bases.  

Neutral

Previously, we used some open-source solutions, Sumo Logic, and Graylog. 

We have Splunk deployed in two environments for different purposes. One is for ITSI, general dashboards, and our APM application. That is deployed in the cloud. We have it in an on-premises environment for enterprise security. We have a cluster that spans three data centers. Deploying Splunk is easy if you have some experience.  Configuring the log sources, managing the indexes, and learning all the features is more challenging. 

Splunk doesn't require maintenance aside from the disaster recovery and DLP aspects. We have a huge environment in different data centers set up for high availability. 

Splunk is expensive, but you can get a lot out of it if you have the expertise and know how to customize it. It's more customizable than other platforms.  In Java or .NET, everything is pretty defined, so you can't do much customization, whereas Splunk lets you customize dashboards, alerts, and reports using SQL. The cheapest solution is always open source, but these products don't have many capabilities. They might work in a small environment. I would recommend trying LogRhythm, ELK, or Google Chronicle.

Splunk is very expensive because we have recently integrated another solution, and 40 percent of the licensing cost is driven by that. 

I rate Splunk Enterprise Security nine out of 10. I would recommend Splunk to others. When implementing Splunk, it's crucial to set up your use cases, onboard threat intelligence and log sources, and create data models. Using simple XML language, you can create a data model and a simple pivot table to generate complex reports.