Splunk Enterprise Security Reviews

There are many use cases. Most of the use cases are related to security, data integration, and data sources. 

Splunk Enterprise Security helps with real-time detection. When we integrate any data source, if any external IPs or external devices are accessing that data source, we get notified. We get alerts based on the use cases we develop.

Splunk Enterprise Security has improved the incident response time a lot. Splunk is doing log ingestion, and it is also used to search the database for issues. It is ingesting and identifying. All that is happening in a single solution.

Splunk Enterprise Security is very easy to use. We can monitor anything. We can monitor and integrate any type of applications and servers. It is very easy and effective. I work with different security tools, but none of the security tools has these many features.

Splunk's documentation is clear. Irrespective of the environment we are working in, we have clear documentation.

One of our clients is using the Threat Intelligence Management feature. The actionable intelligence provided by the Threat Intelligence Management feature is very good.

I have been working with different vendors. Splunk Enterprise Security is a very effective and user-friendly tool. Whether it is Sentinel, LogRhythm, or QRadar, each one of them has its own limitations, but Splunk has all the features.

Its benefits can be realized very quickly. It does not take lots of days or months.

Splunk Enterprise Security has helped to reduce our alert volume. There is a 60% to 70% reduction.

Splunk Enterprise Security has helped speed up our security investigations.

It is user-friendly. It is more effective than other solutions. The support and help for troubleshooting and the documentation from Splunk make it very effective.

It has multiple features. It has data integration, search, reporting, and alerting.

It does not need any advanced programming. It only requires basic programming.

In terms of features, it does not need any improvement. Everything is good so far. The only improvement I am expecting is the cost of the licensing. Clients are going to other solutions just because of the cost.

I have been working with Splunk for more than 7 years. I have worked with Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, and on-prem Splunk.

It is very stable. We never had any issues or bugs.

Its scalability is good.

The support from the Splunk side is very good. They provide the best support.

Positive

I have used Sentinel and QRadar. I switched because of the advanced features, support, and good documentation. It is very effective. It is the best solution. The only problem is the cost.

I have worked with cloud deployments and on-prem deployments. Its initial setup depends on the environment. It is sometimes complex, and sometimes, it is very easy. We also get good support from them.

Our implementation strategy has 3 phases. We first go for development, and then we go for Pre-Prod. After that, we move to Prod.

Currently, I am the only one handling the deployment, but when it comes to operations, we need at least two to three people.

It requires maintenance. Generally, 2 people are required, but for my clients, I am the only one who is taking care of the maintenance.

We have seen an ROI.

It is expensive. I work for multiple clients. I am working for more than 5 clients, but most of the clients are switching from Splunk to Sentinel because of the cost. Even though Sentinel is very limited, clients are moving to Sentinel.

I would recommend Splunk Enterprise Security to anyone who is looking for a similar solution. This is the only solution with all these features.

I would rate Splunk Enterprise Security a 9 out of 10. It is stable, user-friendly, and feature-rich. It is very helpful. Even though it is expensive, the stability, support, and technical documentation make it very effective.

I work in security and use Splunk for endpoint and application security, use case development reports, etc. I haven't used Splunk much for threat intelligence. We have a threat intel feed configured, and we create use cases based on those and the recommendations by the threat intel team. If something isn't covered, we create a use case for it. For example, if an application has an authentication interface enabled, we check all their authentication mechanisms and all the login policies. 

Splunk speeds up our incident response by enabling us to automate some of the investigation steps, such as finding information about the user or the source of the incident on machines. We can then move directly into the remediation phase and assign those tickets to the remediation team. It also triggers automatic email alerts to the recipient user. If our security analyst wants to see the alert logs or anything, they can easily drill down to identify any information required.

It allows us to configure use cases involving our machine-learning toolkit, and we have an adaptive threshold in ITSI. Using these tools, we can eliminate false positives and do some whitelisting to weed out users who are performing benign activities. Removing the false positives reduces the incident response time.

We can start to see results immediately once we have achieved a steady state. For instance, we can easily show how much our mean resolution time for incidents has fallen and provide metrics in a way that is easy for our clients to understand. 

Splunk's interface is user-friendly, and it has apps and add-ons for most applications. We can easily normalize the data to make it readable and understand the logs. We easily get all the field extractions and enrichment done by using the apps and add-ons. This helps us understand the application logs because the raw data is useless unless we extract some useful information from it. These add-ons make it so much easier.

Dashboards are useful when we present things to management. They want the numbers and the results. The leaders aren't interested in what we are working on. We need some visualization for our presentations. Splunk has beautiful and useful visualization and dashboard alerts. We can easily create visualizations using the available options and create different types of charts, reports, and graphs that are easy for management to understand. We can also provide our leaders direct access to the dashboards, so they don't need to reach out to our team to get this data or we can automatically send them the reports via email. 

Splunk has several useful features, like asset and identity management. If we integrate our asset and identity management properly in this log, it's effortless to identify the user, device, or asset. We can get all the details if we integrate those things into the lookup engine.

It would be nice if Splunk reduced the cost of training. Their training sessions are way too costly.

We have used Splunk for around seven years.

Splunk is highly stable if you meet all the prerequisites and have enough physical memory for your local storage. 

If you use the cloud version you can scale as much as your licensing allows. It's easy to scale, upgrade, or add instances according to your needs. 

I rate Splunk support 8 out of 10. They're good, but I think there is room to improve because Splunk is the market leader, and they should strive to provide the best possible support. 

Positive

I previously used QRadar and ArcSight. Splunk is one of the top products. Compared to Sentinel or QRadar, Splunk is the market leader in features and security. You can integrate application, physical, or cloud security and onboard those logs into Splunk, then tailor it to your requirements. 

I've worked on multiple deployment models for Splunk, including hybrid, cloud, and on-prem. The deployment is straightforward. We do a POC and then scale it based on our requirements. 

I feel like Splunk is worth our investment. 

The cloud version of Splunk is somewhat expensive, but it does provide some flexibility because you do not need engineers to manage the system. Everything is hosted in the cloud because it is a SaaS service. It depends on the usage. It is costly, but everything good thing comes at a price.

I rate Splunk Enterprise Security 9 out of 10. 

We use Splunk Enterprise Security to enhance our overall security posture by proactively managing our threat profile across the enterprise. This enables us to see valuable insights and effectively monitor all OEM devices.

It is easy to monitor multiple cloud environments using Splunk Enterprise Security. This helps with DLP and security across our SAM solutions.

Although I favor the cloud's convenience for credential management, Splunk Enterprise Security's visibility remains consistent across multiple environments.

Splunk's insider threat detection reveals daily threat events and highlights anomalous behavior on the dashboard.

The threat intelligence management feature continuously monitors activities across cloud, on-premises, and hybrid environments, and informs stakeholders of any suspicious activity.

Splunk Enterprise Security has endpoint security protection to analyze malicious activities and detect breaches through the analysis of new log content.

Splunk Enterprise Security helps us detect threats two to three hours faster.

Splunk Enterprise Security has helped improve our incident review times, security posture, network protection, and endpoint protection. We saw the benefits within the first month of use.

A decrease in false positives has enhanced our risk analysis, security posture, and the speed of our alert investigations, resulting in daily time savings of four hours. 

Splunk Enterprise Security has saved us two hours per day of investigation time.

The ability to manage large amounts of generated data and to protect all devices from unauthorized use are the most valuable features.

The threat detection library needs to increase the frequency at which the playbooks are updated. 

I have been using Splunk Enterprise Security for two years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The technical support is good.

Positive

The initial deployment was straightforward. We wanted to cover all of our endpoints. Two people were required for the deployment.

The implementation was completed in-house.

I would rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security is a leader in the market and provides great visibility into an organization's security posture.

We have 100 people that are using Splunk Enterprise Security.

The continuous visibility and SOC requirements of the resilience Splunk offers are a benefit to any SIEM. Resilience is important for organizations that run a hybrid environment.

I utilize Splunk Enterprise Security to create alerts within various use cases, including data onboarding, gap analysis, and business testing. I ensure that the use cases adhere to the defined criteria and address any changes or requirements raised by the client. Additionally, I handle any necessary backend modifications in Splunk by deploying code to appropriate environments, including the production environment.

We implemented Splunk Enterprise Security to capture more effective alerts. We create alerts to utilize advanced filtering capabilities. Additionally, we employ Sentinel as our endpoint security application. I have created all instances of the query as intended and have mapped them to Splunk. However, the corresponding alert is not being generated. These are the areas that require attention.

My expertise lies in Splunk Cloud and Azure. While I have worked with AWS in the past for a short period, my current focus is on GCP and Splunk Cloud. My responsibilities involve troubleshooting, alert verification, and key generation. Based on specific requirements, I employ my self-generated queries to identify the relevant fields, such as email or location. Next, I implement lookup conditions and pinpoint the table containing the desired field type. This process allows me to determine the specific requirement of the use case and define the search parameters accordingly. Finally, I conduct a time-bound search to identify any defects.

I deploy to Splunk Cloud, GCP, and on-premises environments. I have experience working with both platforms. When working on the cloud, we don't have the same level of visibility as we do on-premises. For example, we cannot directly access the fraud department systems. In the cloud, we must make all changes and deployments through the Splunk UI. This is relatively straightforward, as there is no backend to manage. However, it requires a thorough understanding of the configuration files and the data fields we need to modify.

We manage multiple cloud environments, including Splunk Cloud and GCP. Splunk Enterprise Security dashboards make it easy to monitor these environments seamlessly. We have a single user interface that allows us to log in to our account instantly and check for any issues, such as Data Collection Processor errors. This unified UI also provides access to the back end of both Splunk Cloud and GCP instances, eliminating the need to switch between different platforms. Whether we need to manage Splunk Cloud or GCP settings, we can do so directly from the UI, which is easy.

Splunk offers comprehensive visibility into our IT infrastructure. The only challenge lies in managing multiple user accounts. We need to create separate accounts for the UI, production environment, and staging environment. Additionally, if we have a DCP or a system cloud, we need to create corresponding accounts. Once that is done we can log in and use it.

Regarding Splunk Enterprise Security's insider threat detection capabilities, we receive an alert for every new case creation. If there is a high likelihood of a specific alert occurring, we have a corresponding use case in place to address it. We also receive soft tickets, which are potential alerts that may materialize in the future. These soft tickets are documented in Jira, and we continuously monitor them. By analyzing these alerts, we can identify potential issues. For instance, this morning, we received an alert for a new case with a missing application name. The interaction table contains the destination user account, process ID, process name, OS, and other relevant information, but the application name field is blank. We investigate this particular use case to determine the cause and timing of the alert. Since we are receiving the alert slightly earlier than expected, we consult the ticket for further details and substitute any missing information.

I have utilized the MITRE ATT&CK framework when the use case pertains to a specific data model. To comprehend the data model, we examine the processes involved or the fields that a particular tool utilizes. To achieve this understanding, we align the MITRE ATT&CK framework with the data modules. Subsequently, we extract the field name and field value. When dealing with ranges and incident changes, we must input the corresponding MITRE ATT&CK ID. This involves determining the tech ID and identifying the ID values associated with it.

Using Splunk Enterprise Security to analyze malicious activities and detect breaches is an efficient approach. When testing a use case, it's not necessary to manually enter the application name as it's provided automatically. Since the requirement is for SSO, we need to verify whether it's LDAP, Splunk Cloud, or AWS. Occasionally, irrelevant results may appear during data ingestion. We test for subscription-related issues and analyze the results. This testing process provides insights into the circumstances that trigger specific alerts. Malicious activities will undoubtedly be detected, and all our requirements will be met. Alerts are generated whenever unusual timeframes or activities occur. Various filtering criteria allow us to identify and capture specific user IDs or patterns within events. This capability proves to be highly beneficial.

The speed at which Splunk Enterprise Security detects threats could always be faster but it is designed to detect threats quickly. It uses various techniques, including queries, to identify and analyze potential threats. This allows it to produce faster search results than traditional methods, enabling us to locate the information we need more efficiently. While I cannot provide an exact percentage of how much faster it is, it is undoubtedly significantly faster. It can process thousands of events, ranging from twenty thousand to thirty thousand, in a very short period.

I've gained valuable knowledge from having to troubleshoot various situations. For instance, I've learned that the SIM needs to be flipped to use the new applications. Additionally, I've discovered that the error limit for event results should be increased beyond 10,000 because the source type values have increased significantly. This ensures that alerts are received even when there are large volumes of data. Furthermore, I've learned that some clients have different index limit requirements. Some clients require a seven-day index limit due to licensing restrictions or data ingestion considerations. Those who have the larger license opt for a 15 or 30-day index limit. In these cases, the large amount of data generated can necessitate a 1TB or higher index size limit. These learning experiences have been invaluable in my work, and I'm constantly encountering new scenarios that expand my knowledge base.

Splunk Enterprise Security has helped speed up our security investigations. 

The best part of Splunk Enterprise Security is its customizable settings. We can modify the front-end interface, data sources, and various other aspects to suit our specific needs. This flexibility makes it extremely user-friendly and convenient.

Apart from its customizable settings, Splunk Enterprise Security also offers a range of other advantages. It enables us to easily analyze logs, use field queries, and perform other tasks without requiring any extensive training. The search function is intuitive and straightforward, making it accessible to anyone.

The UI-based reporting dashboard is another highlight of Splunk Enterprise Security. It provides real-time visibility into important metrics and allows us to drill down into specific events for in-depth analysis.

Splunk Enterprise Security has not helped reduce our alert volume. We need to separate a few of the alerts, and if there is a time based on the priority, we put the time at what time it needs to appear every day or for seven days or more days. If an alert is present or if something is triggering, then it will be detected. However, the number of alerts that can be handled effectively depends on the specific use case. For each result that is affecting the system or for any specific issue, only those particular alerts should be generated. We can define a timer and determine how often checks should be performed. For example, weekly checks may be sufficient in some cases. However, if there are hundreds of alerts generated in a week, it may not be possible to handle them all effectively. Testing must be conducted to filter out unnecessary alerts. Therefore, clear boundaries must be defined in the use case when creating alerts.

The price for Splunk Enterprise Security is high and has room for improvement.

I have been using Splunk Enterprise Security for two years.

Splunk Enterprise Security is an extremely stable product.

Splunk is compatible with a wide range of other products and is not constrained by specific configurations. Whether it's a single-sided or multi-sided cluster, whether it's used by a single team or multiple teams across different program locations, Splunk is flexible and adaptable. Data recovery is also a key feature, ensuring that data is never lost. This is one of Splunk's most significant advantages. Multiple indexes are maintained to safeguard data integrity, so even if one index fails, the data remains accessible to all users at all times.

Splunk Enterprise Security is scalable.

Comparing SentinelOne and Splunk, we've found that SentinelOne requires a thorough understanding of our processes, including their business context, process names, and all relevant conditions. In contrast, Splunk is more forgiving, allowing us time to learn and adapt. Additionally, SentinelOne's pricing structure can be more complex compared to Splunk's straightforward approach.

While Splunk offers ease of use, better visibility, and intuitive management, SentinelOne demands more technical expertise to implement and maintain. Splunk, on the other hand, provides granular control over event filtering, enabling us to retrieve detailed information based on specific criteria, such as Linux or Windows events. SentinelOne, however, may not provide the same level of precision, requiring more precise query formulation.

The initial deployment is straightforward. We only require the name and the value, and the process is very quick. We were already using GitHub, GitLab, and GitPass, so integration with Splunk was seamless. Splunk is compatible with all of these applications, which makes it a good fit for our needs. We are also using ServiceNow, and Splunk communicates seamlessly with it to raise tickets. The overall deployment time is minimal. One person can manage the deployment process, and I have completed 18 deployments myself. Each deployment takes one day to finish.

The cost is on the high end, which makes it difficult for some organizations to use. However, the benefits outweigh the cost.

I would rate Splunk Enterprise Security eight out of ten. While I have not explored all aspects of Splunk, I have found Splunk Enterprise Security to be a useful and reliable tool in the areas I have used. 

Splunk is deployed in one location. On our team that works on the SIM development team, we have 28 people who use Splunk Enterprise Security.

Splunk Enterprise Security necessitates ongoing maintenance. Tuning tickets are available, so we perform the necessary tuning, and if there is an outdated ticket, we make the required changes. I addressed a ticket from 2018 that required tuning. They requested certain additions, such as authentication or a new index, and maintenance is performed to incorporate these new features.

In multi-cluster environments, maintenance can be performed from different locations simultaneously. This feature is very convenient and allows for flexible maintenance scheduling.

I recommend Splunk Enterprise Security because it is a comprehensive solution for enterprise security. I'm currently working on the SIEM component, but the SIM is also available. Splunk offers various ways to search and configure, making it very easy to use, even without prior knowledge. We can seamlessly integrate Splunk into our existing workflows.

We provide comprehensive infrastructure support and ingest mine data in three ways. The first is Agent-based where the information is sent from client machines to an agent. The second is TCP port forwarding where data is sent to Splunk through an open port. The third is the HEC token. We then use the Splunk DB Connect app to ingest data as per the client's requirements.

We are currently onboarding data from AWS to GCP. We are moving data from on-cloud to our production and deployment level environment. Additionally, the data is being added to the services on those machines. To forward the logs to Splunk, we have created a default index, which is a way of storing data in a particular way. We have created the index based on the requirements of the data storage.

Currently, we are ingesting all kinds of government security PI data. Similarly, we can ingest any kind of confidential data into Splunk using masking. This allows us to filter the data and mask sensitive information. For example, if a user account number has ten digits, we can mask out the first six digits so that only the last four digits are visible. We ingest this kind of confidential data into Splunk, and we also ingest PI data and Splunk governance data.

We are using the threat intelligence management feature. We have a separate security team, called a soft team, which is responsible for finding vulnerabilities, threats, and malware alerts in our Splunk environment. We use the threat intelligence management feature to identify any suspicious activity that may be coming from outside users. The soft team continuously monitors these alerts and creates proxy alerts to identify any potential threats.

Splunk's insider threat detection capabilities help us to easily identify threats by using Splunk queries. We have predefined Splunk Insight and are also using the one in the app, which is configured on top of Splunk machines. This allows us to quickly identify how many unknown IPs are syncing into other machines, and we can use this information to identify threats.

We use threat pathology and MITRE ATT&CK. I am currently supporting a financial institution with its infrastructure, which is split into two teams: one for complete infrastructure support, including hosting and operations, and the other for security-related matters. My team is continuously investigating new security threats, so we will take care of the onboarding process. As part of the infrastructure support team, I am responsible for handling all onboarding tasks. If I encounter any security concerns, I will escalate them to the SOC team.

We have a lot of operations using the Mission Control feature in Splunk.

Splunk helps us analyze malicious activities and detect breaches. We are using a Splunk SaaS application in a multi-class environment. To maintain high availability with zero downtime, we have maintained close to 70 indexes and 50 searches. Splunk provides us with alerts from the entire infrastructure, which helps us maintain our service. We use Splunk Mission Control to iron out any issues. For any special needs, we can go to Mission Control to verify and mitigate alerts.

Splunk Enterprise Security has helped us reduce our alert volume. Splunk currently ingests five terabytes of data, and we can set parameters to exclude rotational works and backlogs to reduce the number of alerts.

Splunk Enterprise Security has helped speed up our security investigations.

Splunk has a wide range of features that customers use to find and analyze all kinds of logs. For example, they can use SQL queries to identify vulnerabilities. Additionally, they can create dashboards to visualize and filter their data, and to create real-time alerts when thresholds are exceeded. Splunk Vision is a popular tool for data modeling and visualization and is used worldwide.

The price has room for improvement.

I have been using Splunk Enterprise Security for five years.

We are maintaining a multi-cloud environment across multiple regions, and for the last two years, Splunk Enterprise Security has maintained a 99.999 percent uptime.

We open cases on behalf of our customers with Splunk. If the technical support resolution is not up to par, we request a meeting call to work with the support team and resolve the issue for our client.

We also use the Red Hat OpenShift enterprise Kubernetes container platform. OpenShift is a more popular container tool with excellent support, but all of our OpenShift deployments are on-premises, along with production clusters around the world.

For the deployments, we scan the data to ensure that the Splunk machines can support it. If we identify anything on the machine, we ask the customer to remediate the issue by upgrading the version of Splunk. Most of our customers are using version 8.3.3.

I would rate Splunk Enterprise Security nine out of ten.

Organizations that value their security should not choose the cheapest SIEM solution. They should expect to invest in a SIEM solution that can meet their specific needs, even if it means spending more money.

Monthly patching maintenance is required. 

We use Splunk Enterprise Security as our SIEM solution.

The log sources are in multiple cloud environments, but the deployment of Splunk is on-premises.

Monitoring our AWS and Azure cloud environments with Splunk Enterprise Security is easy.

The visibility into multiple cloud environments is good. We have complete visibility because we integrate all our logs and sources into Splunk.

Splunk Enterprise Security's insider threat detection capabilities module runs on the backend and provides complete visibility into anomalous behavior and zero-day attacks.

The threat intelligence management feature is a necessary tool in our environment. The actionable intelligence provided by the threat intelligence management feature is helpful. We can see the IoC to help with our investigation.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume by whitelisting the false positives.

Splunk Enterprise Security has helped speed up our security investigations. Splunk uses user-friendly language and visibility to speed up our investigation times.

Splunk offers significant time savings for analysts compared to tools like Azure Sentinel, with analysts resolving alerts 30-40 percent faster. Additionally, Splunk's user-friendly dashboards simplify administration.  

Splunk Enterprise Security's value lies in its ability to collect and analyze security logs, providing insightful dashboards.

Splunk's high cost, despite its recognition in our region, prevents many organizations from adopting Splunk Enterprise Security, suggesting there's room for improvement in their pricing strategy. 

I have been using Splunk Enterprise Security for six months.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is designed for easy scaling.

Our organization is expanding our clusters day by day.

The technical support is collaborative. We do receive a response within the appropriate time.

Positive

While I have experience with Azure Sentinel and other SIEM tools, Splunk stands out for me. It provides a full SIEM experience with informative dashboards, clear language for easy analysis, comprehensive visibility across my systems, and a robust CIM for data organization.

The initial deployment was technical but not overly complex. We faced difficulties with the log process going down and not getting the results in the client console. The overall deployment took around three hours to complete.

Three people were involved in the deployment. 

The implementation was completed in-house.

Splunk differs from other SIEM solutions by using a gigabyte-based pricing model, rather than the agent-based licenses common with its competitors.

While Splunk Enterprise Security carries a higher cost and requires budgeting, cheaper SIEM, and open-source alternatives often have limitations. This makes the decision a matter of weighing the cost against the features most important to each organization's security needs.

I would rate Splunk Enterprise Security nine out of ten.

On paper, Splunk Enterprise Security is the top solution for detecting security threats in any organization, but Splunk Enterprise Security is expensive and most organizations don't have a proper budget to implement a SIEM solution. So they look for a more reasonable cost-effective solution. This is a hurdle for implementing Splunk Enterprise Security. It was originally designed for data science and modified for security. It is a top tool for SIEM and data analytics.

Splunk Enterprise Security stands out for its threat detection capabilities, but its cost can be a barrier for many organizations. Originally designed for data science, it excels in both security and analytics, but its price tag often pushes businesses towards more budget-friendly SIEM solutions.

Splunk Enterprise Security offers good resilience for our customers.

For organizations that don't have the budget for Splunk Enterprise Security, I would recommend Azure Sentinel.

There are lots of use cases such as finding threats, attack factors, and logs. It helps with rogue DNS or brute force attack detection. We have logs related to why a particular account was created. There is alerting. We can get some false positives, but by fine-tuning some of the things, we can reduce false positives.

Splunk is a security monitoring tool. It helps with incident handling, data logging, and observability of metrics. Splunk can handle all these things. Splunk Enterprise security is a premium app of Splunk through which we can have all the threat intelligence and incident reviews. It helps in finding all the attacks and Advanced Persistent Threats (APTs).

We also have dashboards. We can collect logs from different sources and applications. We can also troubleshoot issues. If we are having any issues with an application, we can go to that particular index to see what is the cause. If any application is failing or giving an error, we can troubleshoot the issue. We do not have to log into the server to find the error.

We monitor multiple cloud environments. We have GCP, Azure, and AWS. It is easy to monitor multiple cloud environments using the Splunk Enterprise Security dashboards. Splunk releases inbuilt apps, so by using those apps and add-ons, we can integrate it with our cloud environments. For example, for Azure, they have a Microsoft Cloud Services add-on. We need to register the app in Azure, and after registering the app, we have to use the tenant ID and set it up. There are a lot of inputs, and we can use all those inputs to onboard different logs from Azure. There is also the capability for HTTP event collection.

We have a hybrid environment, and that works best for us. For a lot of things, we cannot just go fully cloud. Hybrid is the best option for us. We are happy with the visibility that Splunk Enterprise Security provides. It is also about how we configure things. If we do not do it in the right way, we will not get visibility. We have to know what kind of tools we are using and what kind of data we are pulling. We cannot pull everything. We have to know what to pull. If we pull only what is required, we would not have any problems.

Splunk Enterprise Security comes with MITRE ATT&CK and Cyber Kill Chain frameworks by default. There are 12 processes in the MITRE ATT&CK framework. We just have to onboard logs, create the data models, and assign those ATPs to monitor all the kill chains. We can monitor all attack vectors and persistent threats that we want to monitor.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. I would rate it a 9 out of 10 for that. It can also go to 10 for different clients based on different requirements.

Along with Splunk Enterprise Security, we also install another Splunk app that has all the threat intelligence. We then feed the data through a CSV file and create the use cases. We set up alerts for those. In the case of an event, an alert is generated and assigned to a particular SOC analyst. There can be some false positives, but with proper configuration and filtering, they can be reduced.

Splunk Enterprise Security has been very beneficial and valuable for us. Our application teams can use the indexes to troubleshoot the issues they are facing at their location.

Being able to ingest data from all the tools and all the apps being used in the environment is valuable. Being able to create alerts when, for example, the CPU usage reaches 95% is also valuable. We can set up alerts and proactively fix the issues. Splunk helps with all these things, and Splunk Enterprise Security has almost 2,000 use cases. It follows MITRE ATT&CK and Cyber Kill Chain frameworks. There are certain notable events for which we can configure our security posture. We can onboard all the logs through indexes and create dashboards to view what is going on in the environment.

Overall, it is pretty good. They are improving it every day. They recently released SC4S for onboarding syslog data. However, the support and the pricing can be better.

It has been 8 years since I have been using Splunk. I am not a part of the core security team. I handle some parts of enterprise security, such as SIEM data models or the creation of some correlation searches and use cases. The majority of things, such as threat hunting or threat intelligence, are managed by our core security team.

We faced some issues, but we fixed them ourselves. We have around 10,000 knowledge objects running. All the knowledge objects should not be running all the time. They should be distributed over 24 hours so that the servers do not have any extra pressure at a particular time. We used to have an issue with our indexes going down. The CPU was being utilized 100%, and everything was getting stopped. We found the issue. We fixed that, and we are good now.

It is pretty easy to scale. For Splunk Cloud, we log a ticket with Splunk support, and they start the process. It does not take much time. However, there is a cost involved in that. 

We have been ingesting 40 TB a day. We have three locations: The USA, the UK, and France.

The SLA for Splunk Cloud support is not satisfactory for a customer. The turnaround time is a bit low. That should be fixed. I would rate their support a 9 out of 10.

Positive

I have not used any similar solution in my current organization.

In my previous organizations, I have used solutions such as Elk, IBM QRadar, and Microsoft Sentinel. Microsoft Sentinel is good. Splunk is better than QRadar. Splunk has a lot of capabilities. It makes it easier to do many things and do them correctly. It does not require as much effort as required in IBM QRadar and Microsoft Sentinel.

Splunk is a bit costly, but if we control our usage during our searches, its cost is okay. When not controlled, it becomes a bit costly.

To those evaluating Splunk and solutions, I would advise knowing the features they would be getting. Elk is open source, but there is an underlying cost of infrastructure. The cost almost becomes the same. You have to hire people who can work on Elk and then you have the underlying infrastructure cost.

We were on-premises, but we recently moved to Splunk Cloud. We have been using Victoria for the last eight months. When going from on-premises to Splunk Cloud, Splunk recommends engaging professional services. 

The migration was done by Splunk. For administration and maintenance, we have about eight people, but the number of users in the environment would be in the thousands.

The maintenance of Splunk Cloud is taken care of by Splunk. Customers do not manage the clusters. With the on-prem setup, we have to patch the servers, upgrade the servers, or restart them from time to time so that the rebalancing of the buckets happens properly. In Splunk Cloud, we do not have to do these things. We only take care of the data normalization part. All other things are managed by Splunk.

It does provide a return on investment.

It is a bit costly.

Be clear about what you want and try to filter out as much as possible. Create role-based rules and assign them to users rather than assigning every role capability to all the users. Also, everyone should not have access to all indexes. Only certain people should have access. For example, if someone is from the AD team, he or she should have access to the particular index logging the AD logs. They should not have access to all of it. There should also be some kind of training before you give access to people so that they know which searches to use and which ones not to use. They should understand the impact of various things.

I would rate Splunk Enterprise Security a 9 out of 10 based on my experience and the work that I do with the core security team. They are pretty satisfied with it.

The solution is used in my company to help the security operation center in work areas like detection, response, and investigation while maintaining cybersecurity standards.

My company has benefited from using Splunk Enterprise Security, which has helped us stay out of the headlines in newspapers. The tool helps detect threats early and respond to them effectively.

The solution's most valuable feature is that it helps with our use cases to detect anomalies in our data and it is important to my company since we have a lot of data on different logs on the systems. We need to be able to create insights that are indicative of malicious activities, which is one of the main purposes of having Splunk Enterprise Security in our company.

The product lacks cross-cutting capabilities. The features in Splunk Enterprise Security that were initially promised to our company are still not available. My company has been asking Splunk for some of these features to be provided in the product for years, and we have been promised that they will be introduced soon in the solution and be part of the product's next release.

I believe that the contract and the terms and conditions mentioned in it are areas where improvements are required.

I have experience with Splunk Enterprise Security.

When it comes to the on-premises version, the stability of the product was quite reliable. When my company moved to the product's cloud version, we faced some major issues related to availability and dealing with events like data corruption.

The product's scalability is okay. I do not think my company faced issues in the area of scalability.

The product's support services were not great initially, but now they are in really good shape. Whenever my company connects with the product's support team, they listen to our questions and queries, so I feel that we are in a much better place now. I rate the technical support as eight out of ten.

Positive

My company has experience with ArcSight. We switched to Splunk Enterprise Security because we couldn't get good answers to our questions from ArcSight, and it was just not functional.

The solution is deployed using the cloud services offered by Splunk. Recently, my company also deployed the tool on an on-premises model. In our company, we monitor both, cloud and on-premises, with our cloud instance.

In the beginning phase, I would describe the deployment experience as a costly and hard process. The migration process from on-premises to cloud was hard and took our company a year to complete. There were different kinds of roadblocks on our company's and Splunk's end. My company worked directly with the migration process associated with the product.

It is difficult to say whether I have seen an ROI since it is like trying to figure out how much an insurance policy works. I think that our company will receive a return on investment from the use of the solution since it helps the organization's cybersecurity team stay out of the newspapers. My company has always been able to deal with threats quickly with the product.

Regarding the product's pricing, I think it has always been difficult to have a conversation with Splunk. Considering the contract thing and the whole legal area, it takes forever to get the contracts signed and to be able to agree to the terms and conditions for my company as well as for Splunk's team. I like the direction Splunk stays in by thinking with the customers about how to reduce costs and only have that data searchable or available, which you need at a particular time. I like the path Splunk is going on, specifically its current trajectory. I appreciate the efforts put in by Splunk in the area partnership, which is what my company expects.

My company uses Microsoft Sentinel. A multi-SIEM environment provides my company with the best of both worlds. Sentinel has some good features, like Microsoft Graph Security, that the tool uses for the whole Microsoft ecosystem. Microsoft Sentinel is a good option for my organization.

In my company, Splunk acts as a product that complements Sentinel because the former lacks some features. I think Microsoft is strong in the area of service delivery. Microsoft's EDR tools, like Microsoft Defender, use Servers from Microsoft Graph Security, and my company benefits from such a type of integration, and we are able to send alerts to Splunk. In our company, if we start to ingest all the data we usually ingest in Splunk by moving to Sentinel, it will become too expensive, so we have to choose where to keep our data.

My company has been able to reduce the mean time to resolve with Splunk Enterprise Security as it went down from a couple of days to hours.

My company has seen a significant reduction in alert volume. It was very noisy earlier, but lately, my company hardly sees any false positives.

It is super important that the solution provides end-to-end visibility of our company's environment because you can never know from where threats can materialize. The fact that users can correlate and ingest data makes sense and is crucial, considering the massive amounts of data.

Splunk Enterprise Security has helped improve our company's ability to ingest and normalize data, which is one of the tool's key benefits.

I would not say that Splunk Enterprise Security has helped solve problems in real-time scenarios, but it has helped solve problems on a near real-time basis. In my company, there is always some lag between the data that comes in and the ones being ingested and correlated. Splunk Enterprise Security aids in solving problems in a matter of minutes.

Splunk Enterprise Security provides relevant context to help guide our company's investigations, and it is very important and can be considered everything for our organization. In our company, we pull in data from assets and registries to give index-based alerts and be able to find owners quickly to notify them and respond to threats.

Splunk Enterprise Security's ability to help our company find any security events across environments is excellent. My company is really happy with Splunk Enterprise Security. The product helps our company find bad stuff when needed.

The truth is that it is very hard to deliver solutions that work at a certain scale. I think that one of the things I could say is that it is a solution that scales up at work. There are many organizations where solutions fail, and I can say that since I have been a part of the deployment of many other tools, it is hard to get many products to work. Splunk Enterprise Security works, and our company's analysts rely on it and trust it. I can only see improvements considering the strategies in terms of where the product's management team is going, and I believe that I will be able to rate the tool a nine out of ten pretty soon.

I rate the overall solution an eight out of ten.