Splunk Enterprise Security Reviews

We use the solution for tracking successful and unsuccessful logins. We track privileged account activities and also a variety of other things, like developing use cases for data exfiltration or integration with ETRs and other security tools for data analysis. 

We wanted to solve the issue of unauthorized access, brute force attacks, and exfiltration. It's helped with MITRE ATT&CK frameworks. 

The organization has been able to quickly triage issues and investigate if something is a true threat or not. Most times, it helps our security posture. The level of confidence we have is high. With Splunk, you can query accounts when you see some strange activity. 

It gives me notifications of notable events. 

The default dashboard is very good. We can see our security posture from there.

On-prem and cloud data analysis are good. You can aggregate it if you need to in order to get good data.

Splunk has proven to be great when tracking down anomalous behavior. The logs are excellent. It is the platform in the industry.  You can integrate anything. The amount of information and usability you get out of Splunk is very good.

We do use the Threat Intelligence Manager. It can be integrated with third parties. The actionable intelligence we get is useful. There is sequencing where you can gauge some actionable steps. 

I use the MITRE ATT&CK framework when I am developing a new use case. It helps us discover the overall scope of an incident. Using Splunk is essential in developing that. 

It's good for analyzing malicious activities and detecting breaches. I'd rate it highly in its capabilities. However, if you don't have the knowledge, it may be difficult. You might get a lot of false positives.

It's helped us detect threats very fast, in almost real time. 

We have reduced our alert volume. I'm not sure of the exact number, however, instead of having 100 to 200 false positives, we might get 20 to 30. 

It has helped us speed up our security investigation, although I don't handle it directly. I simply do triage, and it definitely helps there. 

There are a lot of false positives which can cause a lot of fatigue. 

Sometimes, there is latency in the logs. 

When you deploy Splunk, you need a high level of knowledge. You really need to know what you are doing. It requires a lot of things.

They need to come up with straight steps to get things done, to have a step-by-step process to achieve this or that. 

I've been using the solution since 2020.

The stability is okay.

Splunk would tell you, especially on the different licenses they have, your storage, and your level of ingesting, it can vary. 

Splunk needs to be more clear between storage and performance. 

We worked with a client where almost immediately their storage was already in red. They didn't understand their storage needs as that wasn't clear. 

The solution cuts across countries. I'm not sure how many end-users we have.

The scalability is okay. It scales well even though you have to consider your licensing and storage.

Technical support is good. 

Positive

I have used ELK previously. 

I have been involved in the deployment of Splunk in the past.

The initial setup is not so straightforward for those new to it. I'm accredited and have four years of implementation. You really need that level of knowledge. It's straightforward to make a feed, make it compliant, and do field mapping, however, there are many things you need to do before deployment. 

We had six to eight people deploying Splunk. They were all mostly Splunk professionals, who understood the product and devised a plan and timeline for implementation. We integrated the relevant stakeholders into the process. We were connecting to the Splunk Cloud. 

There is a little bit of maintenance required to maintain the infrastructure. 

We used all in-house resources to implement Splunk.

I have witnessed an ROI while using Splunk. There were some incidents previously in which the company lost millions of dollars. Bringing in Splunk has curbed that. 

The pricing is on the high side. It's not a solution for SMEs.

I'm not sure if any other options were evaluated by the company. 

Currently, we are just Splunk customers. 

We do not monitor various clouds; we only monitor one. However, they have a good solution in that we don't need to worry about maintenance if we do. 

We've never used the Mission Control feature.

If someone is looking for the cheapest SIEM solution, there are a lot of open-source options out there. However, Splunk definitely is an option. If a company is bigger, it would benefit from Splunk. They will be paying some money for it, however, it's worth it.

Resilience is important. To some extent, Splunk addresses this as we haven't had any issues. It's important to have resiliency. If your solution is not resilient, you risk security issues. 

I'd rate the solution eight out of ten. 

I would advise others to spell out what you really need and make it measurable so that you will understand if Splunk is right for you. If you are going to use Splunk, it's important to do your due diligence. 

We use Splunk Enterprise Security for continuous monitoring, ensuring compliance, and advanced threat protection.

Splunk Enterprise Security allows our customers to view their decentralized infrastructure from a single pane of glass.

Splunk Enterprise Security's insider threat detection capabilities are good.

The actionable intelligence provided by the threat intelligence management feature is effective. The solutions are integrated into the platform, and customers receive operational insights.

The MITRE ATT&CK framework's ability to help our customers discover the overall scope of an incident is high.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps our customers detect threats faster.

Splunk Enterprise Security is able to process a huge amount of data without any issues. Our customers can see the benefits two to three months after deployment.

Splunk Enterprise Security helped our customers reduce their alert volume by 40 to 50 percent.

Splunk Enterprise Security helped speed up our customer's investigation time by 60 to 70 percent.

Splunk Enterprise Security can be improved by including backup network detection and response and safe management to the paid platform.

Splunk Enterprise Security's price is high and could be lowered.

I have been using Splunk Enterprise Security for two years.

I would rate the stability a ten out of ten.

I would rate the scalability a ten out of ten.

The technical support response time is delayed and they can take two to three days to respond sometimes.

Neutral

The initial setup can be complex for customers who require advanced configurations and customizations, but it is straightforward for basic usage.

The deployment process is simple. We first identify the platform and determine if it is a unique system. Then, we define the virtual environment. After installing Splunk's platform, we perform the necessary configurations and other tasks. Splunk Security Essentials is a premium add-on for this tool, which is installed on the Splunk Enterprise platform.

The number of people required for the deployment depends on the customer's requirements and the use case they are developing. For example, if the customer needs to gather data from their network, we will need to add network experts to the project. However, if we already have experts who are familiar with the API and application connectivity, we may not need to add any additional people. Ultimately, the number of technical resources required will depend on the specific needs of the project. On average, we require four to five technical people for deployment.

Splunk Enterprise Security's price is high. I would rate the cost as ten out of ten, with ten being the most expensive.

I would rate Splunk Enterprise Security an eight out of ten.

There are many cheaper solutions available on the market but Splunk Enterprise Security is worth the cost.

Two people are required for maintenance.

The value Resilience offers our customers is good.

We use Splunk to monitor unusual user behaviors. For example, if any user onboards from a different domain, it will trigger an alert. We also get alerts and high traffic when the ADI server is down. Splunk will monitor that behavior or when users make repeated wrong login attempts.

My full-time job is managing the IAM product. Splunk is one of our security monitoring tools. Most of my work is on IAM tools like CyberArk and SailPoint, etc. 

Splunk manages all of our security and maintains a hundred percent availability. It improves business while securing the entire cloud environment. In terms of business, we don't need manual monitoring. It automatically monitors and notifies an administrator, so we can easily track and identify the particular issue. It saves our employees' time, and we can manage the environment without any impact on business service.

In the UK, hackers use automated software to make repeated login attempts. Splunk immediately identified these attempts and notified the admins, so the red team suddenly took action to block them.

It's nonstop monitoring that isn't affected by business hours. You don't need a manual administrator. Splunk will monitor everything, and a single administrator can monitor the alerts. Splunk will notify us if any unusual behavior happens, allowing us to take immediate action. There's no need for any further investigation and log analysis. It provides the exact result, what happened, and where it happened. 

Splunk helps us reduce alert volume. Whenever the same type of attack occurs repeatedly, we can change the environment and improve the security so the attack won't repeat. 

It speeds up our investigations through automation. Investigating manually takes a long time, and we sometimes cannot identify the exact issue. Splunk monitors the data and events, so we configured a range. If it triggers that area, it will provide the exact result. We can immediately identify and fix it. There's no need to investigate. It reduces the mean time to resolve by 80 percent. 

Splunk is user-friendly. We can easily customize the monitoring script. We support a multi-cloud environment covering Windows Server, AWS, and Google Cloud. We also use ForgeRock to monitor Linux machines. It sends us alerts when the disk size gets full. When an employee logs in from a different region, it triggers an alert. 

Splunk isn't appropriate for smaller companies. It's too expensive.

I have used Splunk for two years.

Splunk is a highly stable product. 

I rate Splunk nine out of 10. When we have any questions, we raise a ticket and they respond in two or three hours. 

Positive

Splunk provides the tenant, and we can directly integrate it into the cloud URL. For the hosting, we can deploy it to the EC2 instance. Splunk is integrated with Cypress, CyberArk, and Fastdesk. Splunk also supports SAML integration. Splunk is a SAML application, so we can use SAML protocol to enable it. 

I rate Splunk Enterprise Security nine out of 10. 

Our primary use cases are for detection and remediation.

The benefits we've seen from Splunk is that we can promote it to our customers. The second benefit is that it works. It does what it's purported to do, and the support is more than adequate. 

The most valuable feature is that it brings all of the components necessary to identify, analyze, and respond together.

It's pretty important that Splunk provides end-to-end visibility into your environment. As in any product that one purchases to fulfill a function, we want to recognize where it came in, who it affected, and what the challenges are that need to be met in order to resolve something, both immediately and also to make sure that it doesn't replicate in the future. Splunk does a good job of being able to do the former half. Dealing with issues requires tier-three support and above and it takes time. You can work through it with the help of your vendor team.

I would rate them an eight out of ten. It's not so much the problem of the application itself, although there are always improvements that can be done. There are a lot of moving parts that need to be added in and if you don't have the information that you need, especially within identity and inventory, then that can be an added challenge when you have to start making imprints based on what you do know.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There are a number of different standards that can be presented, which is beneficial. Some customers like to have the information that they receive in one format. The driving factor is that when you work with federal customers, some of them want it in one format. The response will be in one format as opposed to another. 

Splunk has helped to improve my company's business resilience. It's an active component in ensuring that we are vigilant against intrusion and detecting it.

Splunk is such a large product. Allowing it to be more easily used by people who have not had a lot of training on it would be an improvement. That's something that they're accomplishing with their current version, although I haven't had an opportunity to learn much about it. With AI capabilities coming on board, a lot of that will alleviate the minutiae that people need to know in order to resolve problems as they come up.

Splunk's ability to predict, identify, and solve problems in real-time is a work in progress.

I have been using Splunk Enterprise Security for the past four years.

Aside from the fact that it can be a resource hog, I'm satisfied with the stability. I don't have too many problems except for a few occasions when we have a threat intelligence file blow up a drive because there's not enough room. It might be because a complete configuration has not been implemented. 

I like the fact that it can be tweaked, but a lot of the various configurations for how long data is held or how long particular components of investigation are held. 

I encourage users to use the vendor management team and cultivate a relationship with them. I have worked with companies who had support that I would rate 11 out of 10. I would rate Splunk an eight out of ten because as any large growing company, they have challenges with keeping the talent necessary, who are not only educated to evaluate a problem and pass it on or solve it themselves.

Positive

The largest challenge with the setup is that it has so many different components. The environment that we're in is a multi-tenant. Enterprise Security with all of its components is huge. If you're using something like a deployment server you can't break it up. It makes it rather unwieldy. I'm sure that there are workarounds that have not been implemented in-house.

Splunk provides more than the people who pay for it realize. I had a few exercises in presenting ROI and benefit-cost analysis and I have been able to demonstrate where it has performed superior to other options.

I was deeply distressed when they went away from their perpetual license.

We evaluated Splunk's typical competitors. We went with Splunk because Splunk has the underlying capability of not only ingesting anything and storing it using their bloom filters and whatnot in order so that you can do sparse and large searches relatively quickly. It also has a wonderful presentation layer, which can basically plug into many other systems. I find Splunk to be a veritable Swiss Grey knife of capabilities.

I would rate Splunk Enterprise Security an eight out of ten because there's always room for improvement and because it can be difficult to learn.

Our primary use case is to find brute-force attempts on our systems. 

We use it for security purposes, to find malicious activity, and to find misusage of our business platform.

The main benefits we have from Splunk Enterprise Security are the alerts with which we can manage the searches and the notables which can be good for documentation.

Identity management is the most valuable feature. 

Its ability to find any security event across any environment is useful if you use the risk parameter. If it can correlate with an identity or an asset, then correlations between such events are up to the analyst. 

Splunk Enterprise Security helped improve our organization’s ability to ingest and normalize data.

Splunk helped to reduce our alert volume by 53%. We work based on an on-call process. The analyst who is on call can use Enterprise Security to see what alerts they have and work from there.

If you load it correctly, Splunk will provide us with the relevant context to help guide our investigations. It made it easier. 

Splunk Enterprise Security helped improve our organization's business resilience.

In terms of its ability to create, identify, and solve problems in real-time, if the problem arises, we can go and look at Splunk, but if it's happening in real time and no one reports the issue, then it doesn't work in real time. 

It helps consolidate networking, security, and IT observability tools but it doesn't have such a big impact on our company. 

It should work better out of the box and have better use cases that would not require my intervention. For example, if I install an antivirus and endpoint protection on my computer, I don't need to do much. But to get any value from Splunk, I need to work hard on it. 

In the next release, they should include machine learning-based rules that would streamline the process of finding anomalies.

For real-time detection, I would not say that Splunk is the best. If you experience a problem and go to Splunk to look at the dashboard, then it's in real-time. Because of the way Splunk works, I wouldn't get an alert in real-time. 

I have been using Splunk Enterprise Security for five years. 

On newer servers, it can be stable. On our servers, it can take a while. We need to re-enter when we press selections. 

It is scalable. You can add more servers and analysts. 

Support depends on the issue. Sometimes they help but most of the time, I have to solve the issue on my own. 

I would rate support a six out of ten. Usually, it can take time until I get to someone who can help. The diagnostics aren't always accurate. I once had an issue where they replaced a certificate that we weren't using, so it didn't solve the problem. It can take a few iterations to solve the problem.

Neutral

The deployment is fine for me, but it is not really straightforward. I would suggest simplifying the process. For example, the whole certificate part is not secured by default. I would recommend fixing that.

We used EMET Computing for the integration. They are fine. 

We do see ROI. We can deduce the ROI from finding the damage that misusing our business platform is causing. 

I think that the price can be too high sometimes, especially for the cloud. We get a lot of logs that are meaningless. For example, if we are using a firewall, we get a message for every session or packet. A lot of those connections are the same. We pay a lot of money on the license and on logs that are the same. If there was a way to aggregate them, the cost of the license would be reduced.

I would rate Splunk Enterprise Security a six out of ten. It is useful but it doesn't add that much value on top of standard Splunk. Because of our use cases and environment, we don't use all of the features it has. Nevertheless, the value it provides isn't so different from Splunk Core.

We use Splunk Enterprise Security for our security analysts for them to be able to view incidents. They are not 100% dependent on Splunk Enterprise Security as their incident source. They do have other tools that they use and other things like whois data, threat intel, and lookups for our domain. They are able to quickly look at the activities done for the assets that we have.

I am not from the management or the leadership, but I do feel that it has been helpful for us Splunk engineers who are responsible for looking at all the data and logs. Splunk Enterprise Security quickly gives us a view of an endpoint or a user or identity. If I want to look for an identity or an asset, I just quickly go into Splunk Enterprise Security. I know where to go and get a quick analysis for a respective object. The analysts have their dashboards, and they have their action items. They use it differently. They follow all the common procedures.

We are on-prem. We are not on the cloud. As of now, Splunk Enterprise Security does not provide us with end-to-end visibility, which is one of the drawbacks of why we need to use other tools. It is not that Splunk Enterprise Security cannot do it. It is just the way it is configured right now. We are working with Splunk engineers. We have a lot of professional service hours that we spend with them bringing all parties into the picture and doing working sessions.

Right now, Splunk Enterprise Security is in the middle in terms of helping us find any security event across our environment. Based on the way the configuration is done in our environment, it would not be right to say that the incident would be reported accurately from Splunk Enterprise Security. That is because not a lot of data is being put into Splunk Enterprise Security to make something a notable event and report about it. If we configure it better and have more data models normalized, and then we use it, it will be more helpful. It has been a long-term goal, but we will reach there soon.

Splunk Enterprise Security has helped improve our organization’s ability to ingest data.

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools. I am an engineer, and I am more into administration and creating user interfaces on Splunk Enterprise itself, not Splunk Enterprise Security. We have done some work on Splunk Enterprise Security and then left it with analysts. It is up to the analysts now. Splunk Enterprise Security is not 100% configured. Some basic data models have been set up. They are generating notables, and we are generating alerts out of it, but it is not 100% there. They do have to use other tools such as their networking tools to get a full picture for incident reporting.

One of the most popular features that I personally like is that in the case of an event, I should be able to run a desired action for that on a threshold, but that is not how we are using it right now, unfortunately. We have a pretty manual process. We have an operating procedure, and we follow that. I would like to see it automated. I do not want analysts to decide whether the action needs to be done or not. It should be done provided the policy says so. If the policy says it needs to be done, it should be an automatic process rather than a manual process.

At Splunk .conf24, I saw a demo for Splunk Enterprise Security 8. All the things that they have done in Splunk Enterprise Security 8 are what it can be better at. They have put Mission Control as a part of the notable or finding itself. The investigation shows the findings, and the findings allow us to do everything that we are doing in Mission Control right there on that same screen. That is what we want now. They said it is going to be released in two to three months. We are hoping that we will be able to use it. I was hoping that I would be able to see version 8 when I am here at Splunk .conf24, and when I go back, I would be able to help them implement it, but it is still 7.3.

I have been using Splunk Enterprise Security for two years.

It is pretty stable.

It is pretty scalable. We have a huge deployment. It is good.

We are a huge agency. It is in the public sector. We have 15 terabytes of data.

They are good. We have a huge team of Splunk engineers within our company. Some of them are contractors, and some of them are employees. They are pretty responsive.

Based on my interaction, I would rate them an eight out of ten. Some engineers do not understand what is there to solve, and they start pushing their perspective on the customer, which is not how it should be because it is not their environment.

Positive

We did not use any similar solution previously.

The deployment of Splunk Enterprise Security was very simple.

We have professional service hours. We worked with Splunk engineers, and we had live working sessions. We were doing it like that. We did it for over a period of time, but that did not give us the full power of Splunk Enterprise Security. For that, we need to be able to configure our own data models and normalize the data. That is not happening 100%.

It is quite expensive.

We did not evaluate any similar solutions.

At this time, I cannot assess Splunk Enterprise Security in terms of the ability to identify and solve problems in real time, but we do use regular Splunk to pinpoint a lot of problems. It helps us a lot. We are able to pinpoint a lot of things, whether they are vulnerabilities or pointing to some logs in the firewall or authentication logs. All the analysts use it very frequently to write searches.

Splunk Enterprise Security has not helped improve our organization’s business resilience because we are not 100% dependent on it. 

Splunk Enterprise Security can provide us with the relevant context to help guide our investigations. However, the input is not 100% perfect, so the output is not 100% perfect.

I would rate Splunk Enterprise Security a ten out of ten.

We use the solution for detection, basic building searches, and creating many dashboards for investigation purposes. We have also been using it recently to create some RBA detection rules.

The solution's newly developed dashboard is pretty amazing. The full platform is quite useful, and there are a lot of tools that we can use to leverage and modify for our own purposes. Clients don't necessarily know about it, but the tool is powerful because it saves so much time.

The solution has so many features that it's easy to get lost. Many of my clients want to get better at Splunk, but they're afraid of using the tool because they feel it's too complex for them. They also need to go through a certification to use the tool.

I have been using Splunk Enterprise Security for five to six years.

The solution's stability is a lot better on the cloud than on-premises.

The solution’s technical support is good. Sometimes, the technical support team's response time depends on the severity of the alerts. Sometimes, we don't get the right person on the call.

Positive

I use solutions like ArcSight, Exabeam, and Sentinel for different clients.

The solution’s initial setup is easy and not that difficult.

Our clients have seen a return on investment with the solution.

Splunk Enterprise Security is an expensive solution.

It is extremely important to our organization that the solution provides end-to-end visibility into our environment. Usually, a lot of companies don't have full visibility on their endpoints or servers.

Splunk Enterprise Security is a really good tool for helping us find any security event across multi-cloud, on-premises, or hybrid environments, like finding a needle in the haystack.

The solution has improved our organization’s ability to ingest and normalize data. Splunk Enterprise Security has also helped us identify and solve problems in real-time.

When processed correctly, the solution provides us with the relevant context to help guide our investigations.

If everything works correctly, Splunk Enterprise Security helps speed up our security investigations by 50%.

The solution has helped reduce our mean time to resolve by 20%.

When something breaks with the solution, troubleshooting and figuring out the problem is hard. The solution runs better on the cloud, with fewer problems and errors, than on-premises. We may not have the right hardware on-premises.

Splunk Enterprise Security is a great app that has been really innovative in the past. I would recommend the solution to other users. There's a cost to it, like anything that is of quality. However, if you want the best, Splunk is at the top right now. The solution is deployed on AWS and Microsoft Azure clouds.

Overall, I rate Splunk Enterprise Security a nine out of ten.

I use Splunk Enterprise Security for monitoring, threat hunting, and quick response. By implementing Splunk Enterprise Security I aimed to address security challenges and threats for both myself and my clients.

Splunk Enterprise Security has significantly improved our organization by centralizing data and enabling efficient correlation across multiple vectors. The benefits were realized quickly after deployment, with noticeable improvements within the first three to six months.

Splunk Enterprise Security has sped up my security investigations, approximately by 30-40%.

The most valuable features of Splunk Enterprise Security are its high-performance data collection, flexible query language, and its versatility across the organization. The unique query language, once mastered, provides flexibility, and the tool extends beyond just security, benefiting network and development teams. This versatility and speed in searching and trend identification enable quick defense for my clients. For me, it is about fast detection, rapid response, and easy access to crucial data.

Splunk Enterprise Security could improve in automation, flexibility, and providing more content out of the box. The effort required for tuning and management is higher compared to some other solutions. Focusing on automation and reducing the engineering effort would enhance its effectiveness. I would like a store platform similar to what Sentinel offers to be included in the next release of Splunk Enterprise Security. Additionally, the pricing structure needs improvement.

I have been using Splunk Enterprise Security since 2016.

The stability of the solution is quite good.

The scalability of Splunk Enterprise Security is good. The solution is stable and performance-driven, making it well-suited for scalability.

The community support for Splunk is excellent, with an engaged user community. However, for the standard technical support, unless you opt for the premium, I would rate the support as three on a scale of one to ten. It is not as helpful as desired.

Negative

Before Splunk Enterprise Security, I used various solutions, including LogRhythm. I chose Splunk because it proved to be more stable and reliable, especially compared to the issues I experienced with LogRhythm. With Splunk Enterprise Security, it takes my analysts approximately 30-40% less time to resolve alerts compared to our previous solution.

Monitoring multiple cloud environments using Splunk Enterprise Security dashboards is moderately easy, around a six out of ten. Setting it up requires a fair amount of engineering effort, especially for non-Splunk Cloud environments like Azure and GCP. Once configured, monitoring becomes straightforward, allowing easy creation of use cases and efficient log monitoring for improved cloud security.

The initial deployment of Splunk Enterprise Security was complex, involving significant engineering effort and tuning. It took anywhere from three to twelve months, which is considered a relatively long time. In comparison, deploying Microsoft solutions typically takes around six weeks on average, which is a significant difference in deployment efficiency.

The implementation strategy for Splunk Enterprise Security involved workshops, high-level design approval, and phased deployment covering physical deployment, log collection, testing, and tuning. Typically, three people from my team (project manager, lead engineer, and lead analyst) and around half a person from the customer's side are involved. Maintenance is substantial, requiring a team of 13 engineers for 60 customers, ensuring not everything breaks simultaneously.

I find Splunk Enterprise Security to be overly expensive, and their pricing model lacks flexibility. There is no consumption-based pricing, and dealing with Splunk can be challenging. They seem rigid, less accommodating, and often don't listen to customer needs. A more flexible and customer-friendly pricing approach, aligning with industry trends, would be appreciated.

Before choosing Splunk, I evaluated other options, including QRadar. However, if I were to evaluate them today, my choice might be different.

If you are willing to invest in engineering effort, Splunk Enterprise Security provides excellent visibility into multiple environments, including cloud, on-premises, and hybrid setups. While some solutions may require less effort, Splunk is capable and versatile, making it a strong choice for comprehensive visibility across diverse IT environments.

Assessing threat detection capabilities in Splunk Enterprise Security is like evaluating how easy it is to drive a car. It provides powerful tools, but mastering the query language for utilizing these features requires effort. Once you know how to use them, it becomes an effective tool for detecting unknown threats and monitoring user behavior.

I use the Splunk Mission Control feature, which is highly important to my security operations. It is particularly valuable for multi-tenant and multi-site mission control scenarios. The Splunk Mission Control feature is effective for centralizing threat intelligence and ticketing system data when dealing with a single entity or group. However, its usefulness diminishes when managing multiple customers with diverse policies and groups.

The features in Splunk for discovering the overall scope of an incident, including the topography aspect, are considered industry standards. However, the topography feature is not particularly useful in my case, so I don't extensively use it.

Splunk Enterprise Security is effective for analyzing malicious activities and detecting breaches, especially if you invest the effort. However, newer solutions are considered better and more flexible. While Splunk was an industry leader five years ago, today, platforms like Microsoft Sentinel may outshine it in terms of ease of use, especially for users unfamiliar with Splunk.

Splunk Enterprise Security has helped me detect threats faster compared to other solutions. It stands out in terms of speed and effectiveness.

My advice to others is that if you are looking for the cheapest solution, Splunk may not be the right choice. Consider alternatives like LogPoint or Arctic Wolf, but be cautious as they might not offer the quality and capabilities needed for effective security. Sometimes it is better to invest in a more robust solution than settling for a cheap option that might not meet your requirements. Overall, I would rate the solution as a six out of ten, mostly because of its pricing.