Splunk Enterprise Security Reviews

I work in the pharma industry, and I use Splunk to aggregate all my reporting logs for my firewall and Active Directory logs. We have anti-spam, web application firewalls, and other solutions to secure our perimeter. We use Splunk for log management and have a stack to transpose a log from the firewall to a VM. When we directly feed the firewall logs to Splunk, they become intermittent and freeze. 

The biggest benefit is that we can manage all the logs from every device on a single dashboard. I can put the log from the core system into Splunk to analyze for abnormal behavior and show that to the developer to improve it. Splunk can also analyze our security devices for security posture for CRM and ISO requirements, helping the organization obtain its ISO certificates.

We started to see the benefits of Splunk when we created our first dashboard. Based on the dashboard information, we can get deep insights from the log, where we define a security incident or event and assign a score to repetitive events. For example, we receive brute force attacks, where the hacker attempts to try a thousand or a million passwords. This will trigger alerts on the dashboard or email. We are not monitoring 24/7, so we can get alerts from Splunk. We can detect threats faster from firewalls and antivirus. 

The consolidation helps us identify the source of the threat faster. They can analyze the forensics to dig into information from the log and correlate the devices. A unified log from various devices can simplify the IT team's response and reduce the alert volume by 35 percent. 

Splunk can deliver more information by going deeper. By creating a dashboard, we can identify the root cause of the threat. Let's say I have a firewall from Check Point. Splunk will find the dashboard for Check Point, implement it in our environment, and connect it to the Check Point firewall logs, which are shown on the dashboard. If we request a custom dashboard, the engineer will take longer to complete the task. 

I can create a custom dashboard for the firewall, antivirus, or endpoint protection. This will take time to complete because they need to understand the log type and mitigation of the process from the system or API.

Splunk helps us manage our hybrid environment, including our email system. The main email system is Microsoft Exchange, which is deployed on-premise, and the second is Office 365. There isn't much security for the hybrid environment. We get logs from the web application firewall, the firewall, and the anti-spam solution. 

Splunk should align its security principles with those of other vendors like SentinelOne. Splunk has mature APIs that can communicate with various security applications and devices. Splunk can process more to produce an understandable dashboard.

Splunk's latest version is much better than before. It's more resilient and powered by AI. It can ingest more complex logs. It will be better because we're using the legacy one.

I have used Splunk for around six years.

I rate Splunk 10 out of 10 for stability. We've had no problems as long as we ensure we have capacity planning for the log system, which is growing every second. 

I rate Splunk nine out of 10 for scalability. 

I rate Splunk support eight out of 10. Support was great, and they responded quickly. 

Splunk is our first SIEM, but we'd like to explore Wazuh more.

It's hard to say whether deploying Splunk was straightforward or complex because sometimes the consultant did the work for us. I handled the operations side, and the consultant did the project itself. It was completed in two days. 

Splunk is expensive. It's based on the data inside the log. If you produce bigger logs, the cost goes up. We pay a license up to a set size, let's say 100 gigabytes, and if we have 101, they charge us for the overage. We pay about a billion Indonesian rupiah. 

There are many cheaper solutions. Microsoft Sentinel is also a little expensive, but there are cheaper ones like Wazuh, Graylog, and Rapid7.

I rate Splunk Enterprise Security nine out of 10. If you want to use Splunk, you can try the free version, which goes up to half a gig. You can feed a log from the Active Directory. If you take that information directly from Active Directory, it will be hard to read. Splunk provides a good dashboard. 

Splunk is an excellent choice for an organization that needs a fully scalable and highly customizable solution. We can customize the dashboard to combine all the device logs. Unfortunately, others still need to learn how to do that. It depends on an organization's needs and resources because it's not cheap.

It's on the higher end of pricing, which can be a significant factor for small organizations with budget constraints. It's more appropriate for the enterprise level and companies with over 500 employees. 

We are using the SIEM platform in our security operations center. We use it both for internal purposes, for monitoring the alerts coming from our network, as well as we have built security operation center services for our B2B customers. We are using QRadar, Splunk Enterprise Security, and more recently, we have added Elastic on top of it.

The features of Splunk Enterprise Security that I find the most useful include the event collector and the tool for analyzing the incidents. The dashboard that we use summarizes the alerts within a certain period of time. The customizable dashboard feature helps to improve the team's decision-making skills because it provides us with a clear image of the types of events that we have within a month, and we are able to classify them based on severity.

I do not really have any additional features that I would want to see in Splunk Enterprise Security. The ticketing platform could be improved. We are using our own ticketing platform right now, but we have integrated it into Splunk Enterprise Security to communicate and report back to our customers on the events to have constant interaction.

I have been working with Splunk Enterprise Security for more than five years.

I have not faced any issues with stability or upgrades so far.

Splunk Enterprise Security is easy to scale for scalability. We onboard more and more endpoints from our customer infrastructure without any issues scaling it up.

We provide the Splunk Enterprise Security Threat Intelligence framework as a level three service for hunting and deeper inspection. We aggregate everything into a threat intelligence platform and provide feedback to our customers on their events.

Positive

Splunk Enterprise Security is quite easy to set up, especially the on-premises solution.

I have contacted Splunk Enterprise Security support for issues through a local partner that we work with. They provide the first level of support and in case there is a problem with the platform, they escalate it to the vendor.

Since implementing Splunk Enterprise Security, I have seen a return on investment. It is primarily a safety tool, so we do not expect a return on investment, but since we use the platform as an MSSP partner for Splunk Enterprise Security, we incur revenues for the services that we provide to our customers. We had a business case and the TCO looks quite acceptable.

Splunk Enterprise Security is reasonably priced compared to other platforms, and the licensing model is quite flexible. Based on the gigabyte of data that we ingest on a daily basis, it is quite well positioned in the market.

The event collector has been useful for us to gather logs from our customer's infrastructure. We have VPN connections with our customers, and we use the event collector to gather data from their network devices and incorporate it into the SIEM platform for further analysis.

The integration of Splunk Enterprise Security with our existing security infrastructure has influenced our threat detection capabilities as we use it as an independent tool. We have other security tools in place, such as firewalls from FortiGate, from Fortinet. We have some endpoint protection solutions, but we have integrated everything into the Splunk Enterprise Security platform. We use it as an XDR platform to collect logs from different sources, from clouds, from active directory, from endpoints, from routers, from firewalls, from all the points in our customer's infrastructure.

For the time being, we are quite satisfied with Splunk Enterprise Security. We are waiting for the AI engine to get more mature and to use it more extensively.

I would rate Splunk Enterprise Security a nine out of ten.

Currently we are using Splunk Enterprise Security for monitoring the jobs and along with Splunk Enterprise Security, we are using DataDog where it will be used for monitoring the servers and our URLs.

Currently, we are using it only for monitoring because that is going to be decommissioned very soon. So we have only had it active for monitoring for the last four years.

Currently, we are using the on-premises and we are slowly going to be migrated to the cloud, and then we can use that for whatever we have existing. We can utilize it in the cloud.

Splunk Enterprise Security is only used for our MFT tool purpose, which is integrated with our MFT tool.

Splunk Enterprise Security has the capability to pull the report from anytime or any respective time, or if I need it from all the time, then it can be helpful. And we can also set the monitoring for a particular server, particular file type, or a particular user. Those are some of the good features which I really appreciate.

Threat detection is not something we use. Our TechSec team uses their own respective tools such as Qualys to pull out the reports. And apart from that, they mainly look into DataDog.

DataDog will give a more pictorial idea of what went wrong, where it lagged, and where the issue is. But Splunk Enterprise Security won't give that much pictorial detail.

Compared to other tools, Splunk Enterprise Security is kind of user-friendly.

Initially, it was helping us to give the logs and integrate with Splunk Enterprise Security and all.

The main challenge is that it runs on the Linux part. So that is a very big challenge for us where we have installed it on the Linux machine. And getting it moved out from the Linux machine is the biggest challenge for us currently. So it is not so friendly for us to do that. That is why we came up with DataDog and then Splunk Enterprise Security is going out.

Now, we currently have completed all the setups. We are currently using it on-premises, but going forward, we will be utilizing the cloud environment.

Because we are using a licensed DataDog, which gives us more reliable results. And for file logs, we are using a BAM, a business audit and monitoring tool, which gives us a more visualized experience than Splunk Enterprise Security.

Currently, there are no stability issues. I am not that good at providing any advice, but these are my few feedbacks.

Currently, there are no scalability issues.

Currently, customer service is limited.

We are using a licensed DataDog, which gives us more reliable results.

It is not a support kind of thing. It is just helpful for looking around the logs.

Initially, it was helping us to give the logs and integrate with Splunk Enterprise Security and all.

Our TechSec team mostly uses DataDog.

I am using a Globalscape, not Axway.

I am working on MFT and SSIS.

Splunk Enterprise Security is only used for our MFT tool purpose, which is integrated with our MFT tool. Otherwise, our TechSec team mostly uses DataDog.

The complete Splunk Enterprise Security itself is going out, going to be decommissioned. So we are not at all using it. So I do not think there will be any more advancement on that part.

Currently, we do not have it.

I do not have any details about that.

It has had some of it, but as we are moving out of it, we never look into it so deeply. For the time being, it will be just refixed.

It is a good product. I rate this product an overall 8 out of 10.

After the acquisition by Cisco, we are focusing on our partnership with them as a Gold Partner and Tier One reseller. Following the acquisition, we also shifted our focus to Splunk. I am a system integrator implementing Splunk for customers in their environments.

Splunk has a vast integration with multiple vendors, which makes it easy for our customers to integrate various cloud environments. 

Splunk provides complete visibility when integrated with all installed appliances and applications.

The threat intelligence management feature is a good add-on for startups, especially given its affordability.

Splunk allows organizations to ingest and normalize data effectively.

Splunk simplifies real-time problem identification and resolution by seamlessly integrating existing customer and vendor systems. Its customizable dashboards can be tailored to map and reflect specific environmental needs precisely.

The threat topology and MITRE ATT&CK framework features can help discover the full scope of a security incident, provided they are fully integrated into the customer's environment.

Splunk's comprehensive log visibility enables efficient investigation of malicious activities and breaches. By generating a dashboard that collects logs from firewalls, emails, proxy endpoints, and threat intelligence, Splunk can provide access to critical information within seconds, significantly reducing investigation time compared to other vendors or solutions. This streamlined process, facilitated by Splunk's ability to gather and analyze diverse log data, ensures swift identification and resolution of security incidents.

It helps our customers improve their organization's business resilience.

The unified platform helps consolidate networking infrastructure and security. This single-platform approach offers the advantage of combining multiple technologies and features, streamlining operations and enhancing efficiency.

Implementing Splunk with SOAR capabilities, along with machine learning and AI for alert filtering, can significantly reduce alert volume without constantly interrupting administrators. This streamlined approach ensures that only alerts requiring approval are sent to administrators, optimizing their workflow and efficiency.

The analysts using Splunk, even the free edition, are very satisfied with the information it provides for their investigations.

Splunk has helped customers accelerate their security investigations by integrating AI and machine learning into its platform. This integration automates many basic tasks and saves valuable time.

Splunk helps reduce our customer's mean time to resolve. 

Splunk Enterprise Security's most valuable features are its stability and the robust Splunk Search Processing Language, allowing extensive customization and analysis capabilities.

Splunk could enhance its offerings by incorporating modules for network detection and response and fraud management, along with improving its threat intelligence management capabilities. Additionally, the pricing could be made more competitive.

I have been using Splunk Enterprise Security for almost six months.

Splunk is a very stable platform.

My customers feel it's a good investment, but Splunk updated its price models recently.

One of Splunk's two major disadvantages is its high cost. The platform requires significant financial investment and resources, making it expensive despite its comprehensive features.

Splunk has disadvantages such as cost and resource requirements. However, once I invest, it's a powerful platform that ranks number one in SIEM and observability. I rate the product nine out of ten due to pricing concerns and threat intelligence management not being advanced.

I believe Splunk is the top SIEM tool. However, the term "enterprise security" is misused when applied to Splunk. While many vendors claim to offer "enterprise security," true enterprise security should cover all aspects of cybersecurity. Splunk excels in SIEM, SOAR, and UEBA, but it doesn't address other crucial areas like firewalls, PAM, or web/mail gateways. Therefore, Splunk shouldn't be categorized as an "enterprise security" solution. Although Splunk leads in SIEM with its superior visibility and observability, it lacks presence in other essential cybersecurity domains.

As a Splunk engineer, I collect data from various sources, including Universal Forwarder, Heavy Forwarder, DB Connect, and Syslog to monitor application logs. This data is used to create dashboards that visualize application health and identify potential security incidents. Additionally, I configure alerts to notify teams via Slack or email when CPU or memory usage reaches critical thresholds, allowing for prompt resolution. Furthermore, I use Splunk to create KPIs and NDDs for various aspects of the organization, including a custom ITSI service for Microsoft 365. This service monitors child entities like Teams, Outlook, and Edge within a parent application, tracking metrics like team member logins and meetings, CPU usage, and memory usage. All this information is consolidated into a three-page ITSI report.

Splunk Enterprise Security helps us detect malicious activity, such as failed login attempts by unauthorized users. These attempts, whether brute-force attacks or phishing attempts, trigger alerts with detailed information about the incident mapped to the MITRE ATT&CK framework. This allows our security team to investigate and take appropriate action quickly.

We managed Splunk's large clustered environments, I oversaw data collection from roughly 750 applications via universal deployment clients. This experience, coupled with my nearly six years of Splunk expertise, made monitoring application logs and creating Splunk knowledge bases straightforward tasks. While processing task cut-off tickets from the application team could be time-consuming, the actual monitoring itself was easy to manage.

The end-to-end visibility provided by Splunk is important because our company uses applications like K-Connect and Splunk to monitor user activity across different sectors. Having previously worked in both healthcare and finance, I'm familiar with how this process works. We access user information including personal data to track their activity from start to finish within our systems. Splunk allows us to mark specific user data points for further analysis, ensuring we have a full view of user or patient activity within each organization we serve.

Splunk helps me find security events across multi-cloud and on-prem platforms. I would identify missing data by checking the last hour's timeframe (span=1h). If on-prem or cloud data was missing, I'd investigate which logs weren't being ingested, whether an indexer was down, or if a forwarder wasn't sending data. Additionally, I'd check if the application or event log volume was overwhelming the universal forwarder, requiring a queue to process the data effectively.

Splunk improves our ability to handle data from applications. This data is often unstructured or unavailable in a usable format. To make it usable, we used to normalize the logs manually through back-end commands and edit various Splunk consoles and platforms. This process transformed the data into a structured, human-readable event format, allowing us to extract the information we needed.

We can identify potential malicious activity through Splunk by analyzing database logs with SQL queries. For instance, a high number of failed login attempts within a short timeframe could indicate unauthorized access attempts. Additionally, with multi-factor authentication systems like Duo, a user logging in from two geographically distant countries within a short period might be suspicious. To address this, I've developed SQL queries that check for logins within a one-hour timeframe across different countries. These queries trigger alerts on a dashboard, allowing IT to investigate the user's IP address and determine if the login is legitimate.

Splunk has significantly improved our business resilience by providing a single pane of view for all our data. This visualization allows us to monitor for anomalies, including unusual application activity, unauthorized executables, and suspicious shell scripts running on both Linux and Windows servers. By triggering alerts for these events, Splunk empowers our organization to proactively identify and address potential threats, ultimately improving overall stability.

Splunk allows us to easily check the data for malicious activity. It also helps reduce the alert volume by allowing us to set thresholds for alerts. For example, we only receive an alert when the CPU usage exceeds 90 percent or the number of failed logs is more than 15.

Splunk helps us investigate by providing relevant context from system logs. We can search the Splunk logs for specific applications and timeframes, and then examine all the data fields for suspicious activity, failed login attempts, or any other anomalies.

It helps security teams investigate threats faster by providing a central platform to collect and analyze data from various security applications. This focus on enterprise security allows teams to identify and respond to threats across the organization, leveraging frameworks like MITRE ATT&CK to match attacker techniques and tactics.

Splunk's strength lies in its single-page view. This interface allows us to explore all our data, build dashboards with alerts, and visualize real-time information through various charts like column, bar, and pie formats, providing a full user experience.

Due to its high licensing cost, Splunk is out of reach for many organizations. Making their licensing more affordable would open up Splunk's solution to a wider range of users.

I have been using Splunk Enterprise Security for six years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security has excellent scalability.

The technical support is good.

Positive

The deployment is complicated  because our organization works with on-prem servers. All the data needs to be duplicated and all the searches and indexes need to happen properly.

The Splunk licensing is high.

While more affordable, alternative SIEM solutions lack the flexibility and in-depth visualization capabilities offered by Splunk.

I would rate Splunk Enterprise Security nine out of ten.

While Splunk Enterprise Security offers a user-friendly interface, its true power lies in its ability to create highly customized dashboards that streamline investigations and reporting.

We use Splunk Enterprise Security for security monitoring.

Advanced correlation capabilities help to identify the patterns of malicious activities.

Machine learning capabilities in Splunk Enterprise Security have been effective for identifying and preventing incidents. Through machine learning, they correlate all the data and create notable events, which helps us identify malicious or suspicious traffic.

We have used the risk-based alerting a little bit. So far, it's been just fine. We haven't gone deep into it. Our other operations team hasn't utilized it to its full capacity, but it makes a pretty good filter overall.

The impact of automated responses provided by Splunk Enterprise Security has been very good on the efficiency of routine security operations.

The incident review in Splunk Enterprise Security seems to be the most helpful feature. 

It would be nice to have more advanced UEBA in Splunk Enterprise Security. Additionally, it would be beneficial if they offered more threat intel feeds for free. 

Furthermore, incorporating Attack Analyzer into the main product instead of having it as a separate paid purchase would be an improvement.

I have been using the solution for about three years.

I've had an issue only once with one of their products, but overall, it's been pretty good.

Its scalability is pretty good.

For Splunk Enterprise Security, it's been pretty good. For the regular Splunk Enterprise Platform, overall, it's like a C-minus. One thing that I probably dislike the most about the Splunk product is their support.

Neutral

I previously used LogRhythm. Splunk Enterprise Security is more advanced compared to other solutions, which makes it stand out as a better option.

I deployed Splunk Enterprise Security using professional services, and overall, it was good. My main responsibility was handling the coordination. The full implementation took about four months.

Approximately 90% of maintenance is done by Splunk.

The implementation was handled by myself.

We purchased Splunk Enterprise Security through a reseller called AccessIT.

Splunk Enterprise Security is a bit expensive overall, but it provides good value.

I would rate this solution an eight out of ten overall.

My usual use cases for Splunk Enterprise Security include normal reporting.

Splunk Enterprise Security has positively impacted my organization by increasing security defense. It provides a good environment for defense.

The most valuable features of Splunk Enterprise Security are reporting capabilities. It is a good tool for checking systems and analyzing situations. I find it useful to check my systems and analyze situations.

The documentation and training resources available for knowledge and training can be expanded. We need to learn more about Splunk Enterprise Security and new security attacks.

I have been working with Splunk Enterprise Security during the last year.

I would rate Splunk Enterprise Security an eight out of ten for stability. In security, nothing is 100%.

I would rate the scalability of Splunk Enterprise Security an eight out of ten. I have not tried anything to scale up or scale out as it is a new setup, but I believe it will be easy for that.

I would rate the technical support of Splunk a seven out of ten. Sometimes there are delays. It is related to their giving a response after some time.

Neutral

I used QRadar. The switch from QRadar to Splunk Enterprise Security was a management decision. We moved to Splunk Enterprise Security because of its benefits. Splunk's support is better, and its reporting is easier and better. There are also pricing advantages.

It is a normal process. It isn't complex, but it is a new setup with new interfaces and a new way of thinking. It is always a challenge to use new software, and it takes some time to get familiar with it.

I can install Splunk Enterprise Security myself, though some things require dealing with external assistance.

We have not calculated ROI in our environment. I have not received any assignment or recommendation to calculate ROI.

The pricing of Splunk Enterprise Security is somewhat high, but comparing it with its benefits, it's acceptable. It depends on the type of business.

Overall, I would rate Splunk Enterprise Security an eight out of ten.

We use Splunk Enterprise Security for various security use cases, including writing correlation searches. This has significantly improved both our use cases and correlation searches. We can leverage existing resources, making modifications as needed, rather than starting from scratch each time. Splunk Enterprise Security provides diverse use cases across different environments, including AWS, Azure, and multi-cloud setups, while also integrating with Microsoft Sentinel. Additionally, we can integrate Splunk's service orchestration product for further automation. Overall, this allows us to automate tasks that security analysts previously performed manually, such as reviewing incident dashboards. We can fine-tune alerts based on analyst feedback. Splunk's research team ensures that use cases are updated with the latest security content, enabling us to understand and implement necessary steps while customizing them to fit our company's needs. This is what makes Splunk Enterprise Security so popular; it streamlines processes compared to legacy security products that often rely on manual scripts. Clients, including government agencies and banks, are transitioning to Splunk Enterprise Security due to its reduced training requirements and comprehensive features. Everything is consolidated, simplifying training and certification. Additionally, integrating Splunk's service orchestration product further automates tasks and improves response times. The substantial investment in Splunk indicates its staying power; no other product on the market currently offers comparable capabilities. Cisco's acquisition of Splunk reinforces its potential for success, combining APM, data logging, and security portfolios. In one financial project involving 600,000 users, we were able to monitor all incoming traffic, identify security activities, and distinguish between legitimate and malicious traffic, including phishing attacks and potential identity-based threats. Splunk enables tracking individual identities, crucial for detecting attacks where perpetrators hide behind compromised identities, often leading to data breaches and other security incidents.

We implemented Splunk Enterprise Security to assist with AWS security, which includes GuardDuty, CloudTrail, CloudWatch, and Inspector. These AWS components generate compliance and security alerts, which we correlate and use to create dashboard reports and identify security events for various use cases. We then enable the out-of-the-box use cases and send notable events to the dashboard. The implementation is currently in its early stages.

Splunk Enterprise Security operates based on incoming data, making monitoring multiple cloud environments relatively simple due to data availability and integration capabilities. Data from cCloudRail, CloudWatch, Azure, and other diverse environments can be incorporated. While occasional patching might be necessary, most integrations are readily available, offering extensive coverage without customization. Specific customizations might still be required, but most functionalities are pre-built, leveraging code developed by Splunk. This efficient approach involves analyzing data from vendors like Palo Alto and applying add-ons to apply code and automate parsing.

Our visibility into various environments depends on how much data we incorporate; therefore, the more we scan, the better our visibility.

Splunk Enterprise Security's insider threat detection capabilities act as a secondary approval and vetting process, helping our organization ensure there are no unauthorized users.

The MITRE ATT&CK framework allows us to identify criticality levels, helping us respond to incidents. We might integrate incident response with a REST API, where a notable event triggers the creation of a ServiceNow ticket. Information flows from ServiceNow back to Splunk, which then feeds other systems, enabling bidirectional incident management. These processes are largely out-of-the-box, as Splunk integrates well with ServiceNow, except for any customizations. We understand the data integration requirements and leverage Splunk's extensive integration capabilities.

Splunk Enterprise Security does a good job of analyzing malicious activities and detecting breaches. The amount of information the research and threat detection teams receive from Splunk enables faster threat detection of up to 60 percent, eliminating the need to consult numerous sources. This efficiency is a key benefit of Splunk, as its significant investment in security allows for expedited processes.

I have seen the older legacy product where they have this manual process to identify issues, run scripts, try to identify the output, and then go through ten systems to collect data. This could take days. Now, with Splunk, we have everything correlated with multiple use cases, and we have a correlation search between multiple systems, along with application data. Splunk Enterprise Security can stitch all this information together and show it in a single pane of glass, which makes decision-making faster and allows us to focus on the relevant issues instead of wasting time on non-relevant ones. They have done this well.

Splunk Enterprise Security significantly reduced our alert volume. The initial challenge was dealing with a legacy IBM system that generated a massive amount of unfiltered noise, making it difficult to identify relevant events to send to the incident dashboard. This process was time-consuming and inefficient, and the value of the system wasn't apparent. To address this, we fine-tuned both the SOAR system and Splunk by applying filters and conditions to focus on relevant data. Ultimately, Splunk reduced the alert noise from 1,000 events in two hours down to ten, which were then grouped into a single notable event. Despite potentially having hundreds of background events, Splunk condensed this information into a single, actionable item, allowing us to focus on investigating the most relevant issues.

Splunk Enterprise Security accelerates our security investigations by reducing noise, allowing us to focus on relevant use cases. Everything is categorized as high, medium, or low priority, and people immediately start investigating high-priority issues connected to PagerDuty. Sometimes, this leads to on-call situations, sometimes immediate action. Service orchestration and playbook scenarios enable automated responses, like instantly blocking unauthorized access to a system. The possibilities for security use cases with playbooks and service orchestration are vast, and I'm excited to explore them further in the coming days.

The dashboards and reporting capabilities help to aid our security analysis.

We have integrated Splunk Enterprise Security with various services to streamline our security operations. This integration allows us to leverage diverse data sources for creating lookups, data models, knowledge objects, and regular expressions. By automating the development of use cases and regular expressions, we can apply them to data more efficiently, enabling faster implementation and analysis. This approach enhances our ability to detect and respond to security threats effectively.

Splunk Enterprise Security has enhanced our organization's security posture by providing comprehensive security compliance dashboard reports.

I appreciate how Splunk Enterprise Security connects users to the research team and threat documentation, providing access to current events impacting other clients, security vulnerabilities, and relevant use cases. The platform's daily updates offer valuable insights for enhancing our security posture.

Splunk Enterprise Security allows us to create custom dashboards by changing fonts and modifying widgets. Those familiar with XML coding can further personalize dashboards to align with frameworks such as MITRE. Alternatively, we have the option to use the pre-built dashboards.

I've noticed that onboarding data from various multi-cloud sources and diverse products, such as security network devices, can be challenging. Although Splunk has simplified data onboarding with features like data managers, they need to improve their out-of-the-box parsing capabilities. While they've made significant progress, covering about 70 percent of common products, there's still a 30 percent gap where manual configuration is required. This forces us to spend time understanding and writing custom parsing rules instead of focusing on data analysis. With Splunk's recent acquisition by Cisco, I'm hopeful they will prioritize enhancing this functionality and increasing their coverage to 90 percent or more.

I want to see Splunk Enterprise Security dashboards incorporate more features, such as out-of-the-box AI and user behaviour analytics, which are accessible within a single dashboard.

The technical support response time has room for improvement.

I have been using Splunk Enterprise Security for three years.

Splunk Enterprise Security has stability issues, especially with large data volumes, increased data intake, complex dashboards, custom models, and processing that significantly impact performance. Many customers experience this; even with demos using small datasets, performance degrades with millions of data points. This necessitates capacity planning, dedicated teams, and enforced best practices. These practices include restricting complex searches, blocking problematic users, and providing training to prevent performance degradation. Constant vigilance and proactive measures are crucial to maintaining a stable Splunk Enterprise Security environment. I would rate the stability of Splunk Enterprise Security five out of ten.

I would rate Splunk Enterprise Security's scalability six out of ten. We need to add more shared CPU memory and increase the capacity, and scaling requires a lot of planning and effort.

Splunk's support quality has declined in the past five years. Response times are now slower, and resolving an issue can take weeks. Submitting a ticket and connecting with the appropriate support agent often requires numerous emails and calls.

Neutral

To improve security coverage and user experience, we replaced our outdated legacy solution with Splunk Enterprise Security.

Our Splunk Enterprise Security cloud deployment utilizes a DevOps approach with a fully automated CI/CD pipeline. This automation has significantly improved our deployment speed, reducing the process from a week to a few minutes. Changes are made in the development environment and then automatically pushed to production after a click-through approval process. This streamlined workflow eliminates the previous manual process and associated delays, resulting in a faster and more efficient deployment cycle.

Splunk Enterprise Security's pricing is based on data volume, which generally suits large enterprises.

I would rate Splunk Enterprise Security eight out of ten.

Splunk is widely used across larger organizations. While large organizations often have extensive teams dedicated to Splunk projects and upgrades, smaller organizations can also use Splunk, taking advantage of more affordable pricing options like the free tier for limited data. Cost isn't a significant concern for larger organizations, who prioritize Splunk's security features and are willing to invest in its capabilities.

Splunk Enterprise Security is deployed across all departments, processing millions of data points. Over 500 people manage this data: building dashboards and reports, working with Enterprise Security, discussing use cases, and creating custom data models. This represents a massive effort for any large organization where every department utilizes Splunk.

Government departments are transitioning to Splunk, with daily onboarding increasing the current user base of 5,000.

Because the deployment is cloud-based, the Splunk DevOps team handles maintenance.

Splunk offers a resilient SIEM solution with comprehensive capabilities for research and a wide range of use cases. It is constantly updated, ensuring it remains a valuable and comprehensive SIEM package.

I recommend Splunk Enterprise Security. It is an excellent tool widely used by many organizations, making it a valuable choice for security information and event management.

I use Splunk Enterprise Security to analyze logs and data. When it comes to hybrid or multi-cloud, Splunk Enterprise Security has helped me find events. I use event logging and event IDs, which has helped me.

Splunk Enterprise Security helps me detect threats faster depending on the type of log I'm using. If I have a current company's log, I can easily detect it faster. 

The ability of Splunk Enterprise Security to import data is simple. It is not hard; it is just an easy task that gives me what I want. 

The command line in Splunk Enterprise Security helps to search for specific queries, such as analyzing a security log to find login attempts and distinguish between failed and accepted passwords. 

End-to-end visibility in Splunk Enterprise Security is something that is appreciated. Splunk Enterprise Security is easy to use. 

The Threat Intelligence Management feature in Splunk Enterprise Security is applied and helps me to normalize the data. 

Splunk Enterprise Security is part of the SIEM tool, so it helps me tremendously to do my work.

The main improvement needed in Splunk Enterprise Security is its system visibility after installation. When you install Splunk, you cannot see it on the system as an application. If you are unfamiliar with Splunk and download and install it, you will not see it as an application on your system. You have to go back to your browsing history to get the link and start using it again. Additionally, Splunk Enterprise Security does not always provide an immediate response to alerts on threats.

I have been using Splunk Enterprise Security for three years now.

Scalability in Splunk Enterprise Security is satisfactory.

I have not needed any help from the support team at Splunk before, so I have not required any assistance from them.

Positive

Splunk Enterprise Security was the first solution I learned, and it remains the only one I am using now.

I use a whole lot of tools at the moment aside from Slunk. I use Wireshark, I use Kali, I use Splunk Enterprise Security, and I use Metasploit.

Splunk Enterprise Security can make mistakes, so we do not solely rely on the out-of-the-box detections. It can also be part of a hybrid or multi-cloud environment. Everything depends on who teaches you Splunk Enterprise Security. Someone can teach you, and it becomes simple, or it can become complex. To me, it is not complex as I am experienced in using Splunk Enterprise Security.

I utilize Splunk Enterprise Security to analyze and conduct investigations as part of my job. There is minimal intrusion, so I receive few alerts regarding malicious threats. We do not have a partnership with them; we use it as a normal user through the internet.

Regarding sustainability, manufacturers must continually update their products, add new features, and optimize them. They need to optimize extensively because with threats and vulnerabilities, we always have to update to the latest features.

Overall, when it comes to performance and reliability, I rate Splunk Enterprise Security an eight out of ten.

I mostly use the solution in my company for incident response, ticket management, and integration with other endpoint products.

The benefits my company has seen from the use of Splunk Enterprise Security revolve around the speed of detection it offers.

The most valuable feature of the solution is the correlation searches. The one-stop shop shows me all my insights, and alerts, and can send alerts to my analysts.

I would say it is fairly important for my organization that Splunk Enterprise Security provides end-to-end visibility in our environment. At the same time, my company has other products that cover the observability piece. From a security perspective, we use data outside of our security data to piece together the whole picture. I think our company's perspective is that no matter how we get the whole picture, we will do it, even if it is from outside Splunk Enterprise Security. I think Splunk Enterprise Security plays a major role in this.

In terms of Splunk Enterprise Security for helping our company find any security event across multi-cloud, on-premises, or hybrid environments, I would say that it is great once you get past the learning curve. The learning curve is higher than normal.

I think Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data in a great manner. Splunk is a great product and provides these features, but not so much when it comes to identifying and solving problems in real-time because there are always data delays. There is always onboarding, mapping, creation of correlation search, and then enabling Splunk ESCU part. It works in a general sense and not on a real-time basis.

In terms of whether Splunk Enterprise Security has helped reduce alert volume, I would say that it is the only active SIEM tool my company is currently utilizing. Reducing alert volumes involves tuning up certain areas of the engineering team. If I look at the product alone, I would say it can help reduce alert volume. If I consider the learning curve, I would say that you have to learn how to tune it the right way with the help of professional services or experts. You need to utilize your resources, which I think is the best way to do it.

Splunk Enterprise Security provides our company with relevant context to help guide our investigations since the correlation searches with the enriched data do help gain insights on all of our investigations. At the current point, we are still trying to get past the tool's learning curve so that all of our analysts and everyone on the security team can utilize the tool the best way they can. The more they learn, the better it gets, so currently, we are doing our best.

Splunk Enterprise Security helped reduce the meantime needed to resolve our issues because we have all our data in a centralized location and mapped to a data model. As long as we know what detection and data we are looking at, we can go to our data model and figure out where the issue lies.

Splunk Enterprise Security's ability to help improve our organization's business resilience revolves more around observability. Our company recently migrated to Splunk Cloud, and I think we have more hands-on experience with the ingestion side than ever before. I think it is a lot easier for us since we moved to Splunk Cloud as we don't have to focus on maintaining the infrastructure so much, and we can focus more on the data. I think this is outside of Splunk Enterprise Security's scope and falls under Splunk Cloud's capacity.

Speaking about Splunk's unified platform helping consolidate networking, security, and IT observability tools, I would say that my company is not there yet.

In the next release, I want Splunk to offer more openness to integrations with other products that may be more of a preference for my incident response teams.

I have been using Splunk Enterprise Security for five years. I am an end-user.

In terms of stability, if configured correctly, it works great.

With Splunk Cloud, I think using the tool's scalability feature is easy since one can just call the product's support team.

The solution's technical support is great since they have been very responsive and very attentive while answering all my questions. If the support team can't answer my questions, they escalate it to their engineering team. 

I have had nothing but good things to say about Splunk's technical team. There have been times when I had to rephrase my questions or when there were communication issues, but the time to respond, escalation, and the attempts in trying to find help and answers from the support team's end have always been great. 

I think the only thing lacking is that there are some answers that I couldn't find about the tool without reaching out to support, and it had to be escalated to the engineering team. If this process is the only way I can find answers, I think it is a little bit limiting for an engineer who supports a real-time incident response team. I rate the technical support a nine and a half out of ten.

Positive

I have personally not used any other product before Splunk Enterprise Security.

The product's deployment phase was pretty easy to manage since our company has a migration team and support staff. We also had a really good project manager from Splunk to help us, who walked us through every step, and it was a great experience.

The solution is deployed on Splunk Cloud, which runs on AWS.

My company works with Splunk directly to help us with the implementation, and our experience with the product has been great.

I have not seen an ROI.

The pricing model is great. You can choose between workloads or volume. I am not part of the conversation about pricing in my organization. I just know what I know about the tool from learning about Splunk.

I rate the tool a ten out of ten.