Splunk Enterprise Security Reviews

We primarily use the solution for SOC purposes.

The solution has made it possible to check and detect our traffic a bit better.

The incident review is great for working inside of a SOC if we want to see everything and we want to configure notables and have all notable features, it's useful. We're moving to SOAR right now for configuration for our work center. As far as ES in our work center, just detecting our notables and monitoring all our traffic, is the most important feature as far as what our day-to-day is concerned. 

Splunk has helped us with mean time to respond, although I don't have exact numbers.

Splunk has helped improve our company's resilience level.

Splunk is very good at predicting, identifying, and solving problems in real time. I've never used anything else, however, I'm impressed with the ease of it and the ability to find anything and everything we need. 

I do a lot of the maintenance. A lot of my workers are fresh into Linux and need to monitor, manage, and do maintenance on it. They should bring back the maintenance mode button. Splunk used to have it and they took that feature away.

The upgrading process could be smoother. 

I've used the solution for about a year.

The stability and availability of Splunk are great. It does get weird when we initially update items, however. That's the only time we see issues. It may try to input data in areas it doesn't need to. That said, we are aware of the quirks of the setup. 

Scaling is easy if you have done it a couple of times. 

The environment I have has multiple servers. We might have around 100 servers. 

Splunk support is very communicative about our concerns. That said, the answers I've gotten back don't make sense. I'm not sure if they communicated our issue in the right way or if they misunderstood, however, they did not correctly address our issue. In the end, we do have a good dialogue. I now expect that they will misunderstand the problem on the first round and we have to go back and forth. The effort is there to try to understand. 

Neutral

The company may have had QRadar for a while before Splunk. I wasn't around when they switched to Splunk so I cannot compare the two. 

I was not involved in the initial deployment of Splunk. 

The company has witnessed an ROI in terms of the amount of time saved via being able to tweak our searches. The docs are great. They help tremendously in filling knowledge gaps. The ROI is solid. 

I don't deal with pricing or licensing. 

I've only worked with Splunk as far as data ingestion. 

The solution does take a bit of understanding. It does need improvements in some areas. I'd rate the solution seven out of ten. 

We use it for alerting. It also helps our analysts triage.

It is our bread and butter and our day-to-day tool for the SOC. Besides alerting, just being able to do research and look through various logs to gather context around the alerts has been super valuable.

It is critical to us that Splunk Enterprise Security provides end-to-end visibility. The place that you cannot see is from where you are going to get attacked.

We have a hybrid cloud environment with AWS and Azure. I am pretty confident in its ability to help us find any security event across our environment. We have put in time to feed Splunk Enterprise Security the data that we want to look at.

I am pretty happy with its ability to ingest data. When it comes to normalizing, my company could improve on that a little because we need to do more tuning of some of the data that we are ingesting. That is not much of an issue with Splunk Enterprise Security. That is more of an issue with how we are using it. We need to possibly do a little bit better in terms of how we utilize this tool.

I am pretty confident in its ability to identify and solve problems in real-time. If it has the data and you implement it properly, it will tell you what is wrong.

With risk-based alerting, we are now getting the right context for investigations. It definitely helps and speeds up the investigation. With risk-based alerting, I can see the chain of events. I can see what caused this to occur. I do not have a percentage, but I know my analysts are not getting the alerts that they have not completed by the end of the shift. Previously, that was not the case, so I am pretty pleased.

Splunk Enterprise Security has helped improve our organization’s business resilience.

Splunk Enterprise Security helps to identify and solve problems in real-time, but I do not know if it can also predict the problems in real-time.

I am enjoying our implementation of risk-based alerting. That has helped very much with cutting out a lot of the noise that we have. It has reduced our alert volume significantly. There is about an 80% reduction.

I do not like the pricing model. It is expensive.

I have been using Splunk Enterprise Security for about five years.

I have not had issues with its stability.

It is pretty scalable. It also depends on what you are ingesting, but it does a good job with our data.

I do not use the support that often. Normally, when I am looking for help, I just search on the web. If I am trying to build something and I do not remember the command, it is pretty easy to find.

I have used logging solutions. I find Splunk easier to use than other solutions such as LogStack.

With any such tool, the alert quality that you will get is based on the data that you are feeding it. If you are parsing logs and doing a good job with that, the outcome is good.

I did not deploy this instance, but I deployed it in my last company. It was not as bad as I thought. It was comparable to some of the other product rollouts in the environment.

It is expensive, but it is a good tool.

It is worth the cost. I have worked with organizations that did not want to invest in a security tool. I am glad that we are taking security a little more seriously in this organization.

I would rate Splunk Enterprise Security a ten out of ten. I enjoy it. I like it.

We use Splunk for identity protection, threat defense, vulnerability scanning, zero-trust, and user entity behavior and analytics.

Splunk Enterprise Security has helped our customers reduce the alert volume. We ended up validating the false positives manually. We have to do quite a review assessment task. It can do some automatically, but we end up doing them manually to improve the detection. 

Splunk's advanced threat detection capabilities are excellent. Recently, Cisco acquired Splunk, so many customers are migrating to the Microsoft platform, but historically, I've found Splunk does a better job of correlating and collecting the security logs of all kinds of appliances. Most customers want to consolidate their security products into Microsoft.

It supports just about every cloud solution. It is easy to collect and correlate all the data. The visibility is good. Insider threat detection can be customized. My customer was integrated with many third-party credentials and other threat sources as well. The integration part was seamless and easy. The rates for allocating valuable information and IOCs from different sources are also good. 

The incident response technique should be available out of the box. That isn't as available as we would expect. 

I have used Splunk for around two years.

Splunk is stable. We've had no breakdowns in the past few weeks.

We can scale Splunk quickly. 

I rate Splunk support seven out of 10. 

Neutral

Deploying Splunk was moderately difficult compared to Sentinel. Collecting logs, provisioning firewall servers, and indexing are all complex tasks. You need someone with expert knowledge to do the job. The process takes four to six weeks. You need to design the solution and onboard the data, then start collecting logs and doing the detection. 

I rate Splunk three out of 10 for affordability.

I rate Splunk Enterprise Security seven out of 10. Splunk needs to compete with other products like Microsoft, and right now, it looks like they're losing the race. They need to make drastic changes and accommodate more flexible options and integration solutions. 

I have worked in a couple of areas of Splunk. Initially, I was part of a monitoring team that used it for security information. I used to monitor security alerts which we used to get on Splunk, which was based on the use cases and we set up specific rules for it. Currently, I am part of the administration of Splunk. Now I onboard different log sources to Splunk. We pass over the logs so that it can be used for the security team.

It helps with security and making sure our infrastructure is compliant. It also allows reporting to be in one centralized location. We can monitor the security logs effectively. It really helps as a cybersecurity element for the company infrastructure to protect us from attacks.

It is quite reliable in terms of data. We have a good amount of licenses currently and find it to be very flexible. It can handle and pull up any amount of data.

Splunk is very fast and user-friendly as well. The UI and design is user friendly. It is easy to understand. 

We can do a lot of things on Splunk. We can integrate a lot of other applications on Splunk. And that can be used for day-to-day security operations. It is easy to use, easy to implement, and it is fast. It is reliable.

Our organization monitors multiple cloud environments. We monitor all the infrastructure and cloud environments of clients.

It is easy to monitor multiple cloud environments with Splunk. You have to get clients onboarded to Splunk first, and then the monitoring part comes last. We have a couple of things that have to be done before the security team starts monitoring. For example, we install the agents and set up the hosting. We get the data from the host, we pass it. It is quite a lengthy process. It is easy, however, we have to do it very carefully and cautiously.

Splunk Enterprise Security provides visibility into different environments.

The solution's insider threat detection capabilities for helping our organization find unknown threats or anomalies in behavior are good. We have multiple security frameworks. For example, we have micro frameworks. There are different sets of rules. We set it. What Splunk does internally is just match the incoming logs. Based on the rules that we have set, it will match with the incoming logs. If it matches, then it will generate alerts for the security team. Based on that, we can identify if there is a potential threat trying to get into the company or internal infrastructure. 

The actionable intelligence provided in Splunk Enterprise Security is good. 

It will help us to automate things and can handle certain items on its own. It will just investigate, remediate, and close the necessary alert. If it is beyond Splunk's capability, then an investigation team will be involved in it. 

I have used the threat topology and attack framework feature, however, now I am more of an administrator.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. There are a couple of other tools as well, which do the same thing. However, with Splunk, it's very easy to work with the dashboard and do search queries. You can easily look through the logs via Splunk UI.

The solution helped reduce our alert volume. It will just minimize the false alerts, and just post positive alerts. It's likely reduced false alerts by 60%. A lot is automated now and that helps cut down on manual work.

The solution has helped to speed up our security investigations. Once again, the automation will speed up the process of investigation. It saves a lot of time for analysts as it allows them to see the initial data. If a team has multiple alerts, it will take them time to go through and check everything. However, Splunk does the initial investigation for analysts and will escalate to analysts as needed. It might have reduced security investigations by 80% compared to earlier versions. 

When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.

I've been using the solution for three years now. 

It is a stable product.

There are two types of users: the administrators and then the users where the logs are coming from. We have about ten to 15 administrators working directly with Splunk. Overall, there may be more than 1,000 end users we get logs from.

The solution is scalable. In terms of data, it's very flexible. 

Technical support is good.

Positive

I've used other solutions in the past. We previously used
ArcSight Enterprise Security Manager (ESM). It was older and very slow. Comparatively, Splunk is very fast and it has a better UI.

The initial setup was easy. It was not complex. I didn't do the implementation on my own. The deployment times vary. There are many moving parts, such as approvals that need to be taken into consideration. 

We get logs from various sources from various clients.

It does require a bit of maintenance. It requires, for example, server upgrades and patching. 

I can't comment on pricing. I don't take care of that aspect. 

I'm a customer and end-user.

I'd recommend the solution to others and invite them to test the service first on the infrastructure they have. It's a very valuable product to have.

I'd rate the solution nine out of ten.

We use it to provide both operational and security dashboards based on our clients' equipment. We use it for infra monitoring and threat analysis.

We have multiple rules for analyzing malicious activities and detecting breaches. We get the notable events from the logs and from there we drill down into the cause. We correlate that with the framework and get a score. Based on that, we proceed to the investigation.

It gives us a complete correlation between data processes and security threats. It has threat analysis and the MITRE ATT&CK framework. From a SOC perspective, it uses multiple components or frameworks and, in that way, is very useful, providing us with a lot of information for our clients. They don't want multiple teams dealing with security and malware, et cetera. Splunk Enterprise Security gives us everything in one place.

We get all the real-time logs and, based on the configuration, it's pretty easy to use to find threats. It has helped to speed up our security investigations. Before we went with Splunk Enterprise Security we had limited information but now we have threat intelligence to enhance things.

We are now handling multiple customers globally. We are able to build custom rules based on customer requirements and the applications and data they are using. It is enhancing the security of each customer's infrastructure. We are able to provide weekly and monthly reports and, based on that, our customers are honing their firewalls and other security infrastructure. Splunk Enterprise Security is very helpful in improving the security of our clients.

It gives us good visibility into multiple environments, including cloud, on-premises, and hybrid; irrespective of platform.

The UI is also very friendly. You don't have to work very hard to find things.

One issue is that we are getting a lot of false positives. We are trying to reduce them by customizing the default rules, changing thresholds, and using white-listing and black-listing. It's getting better and better as a result. But they need to build components that would reduce the false positives. 

Also, we have a lot of security feed providers. If there was some kind of management tool for that, it would be a great tool to have.

I have been working with Splunk for about four and a half years.

I started working with Splunk Enterprise Security at version 6 and now we are up to 9 and it needs more resources. But it's okay because we have a lot of functionality now. It's better than it was earlier. I would rate the stability at nine out of 10.

Splunk on the cloud is scalable, a 10 out of 10.

If someone is doing the deployment for the first time, it will be a little complex. The installation is straightforward, but for the configuration, you need to follow the documentation and understand it. That is a little difficult the first time if you are doing it on your own. If you have anyone with experience who can explain the configuration, the second time it will be straightforward.

The solution requires maintenance but not much, mostly when there are upgrades 

Most of the companies we work with are keen on budgeting. They can't spend much on security. Their problem is with the cost. They would like to have it but the problem is the budget. If they got a taste of Splunk Enterprise Security and its benefits, they might be able to cope better. A 15-day trial doesn't give them much hands-on or benefit from the tool. From a security perspective, they would need to have it for six months or a year to get a sense of it.

We try to explain, to someone who is concerned about the cost, the functionality and how powerful the application is. Security people know it's better to have a better solution, but management has to look at the budget.

We tried some other solutions, but they didn't work like Splunk. We found that Splunk is the best one.

We work on multiple cloud environments including AWS, Azure, GCP, and most of the popular clouds. We have built our own combined app to monitor most of the cloud service providers. We have our own solution for cloud security monitoring.

My advice is that for big firms, because it has better detection and security, Splunk Enterprise Security is a very good tool. For big companies, good security is important, especially if they have a global market.

I don't see any other software having as much functionality and different ways to investigate security.

We use Splunk to monitor our private cloud, data center, and other applications.

I don't like Splunk very much and find that it does not have many useful features.

Splunk works based on parsing log files.

I don't like the pipeline-organized programming interface.

I find the graphical options really limited and you don't have enough control over how to display the data that you want to see.

I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset.

Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse.

You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

I have been using Splunk for approximately one year.

I use Splunk at least a couple of times a week.

I'm not sure about scalability but to my thinking, it's not very scalable. I know that it's probably expensive because it relies a lot on importing log files from all of the systems. One of the issues with respect to scalability is that there's never enough storage. Also, the more storage you have, the more systems you need to manage all the log files.

Splunk is open for all of the users in the company. We might have 1,000 IT personnel that could access it, although I'm not sure how many people actually use it. I estimate that there are perhaps 200 active users.

I have not been in contact with technical support from Splunk.

In this company, we did not previously use a different monitoring solution.

I was not involved in the initial setup.

We have a DevOps team that is implementing Splunk and they are responsible for it. For example, they take care of the licensing of the product.

We have a team at the company that completed the setup and deployment.

The other product that I've seen is Elastic, and I think that it would be a better choice than Splunk. This is something that I'm basing on performance, as well as the other features.

My understanding is that as a company, we are migrating to Azure. When this happens, Splunk will be decommissioned.

Overall, I don't think that this is a very good product and I don't recommend it.

I would rate this solution a five out of ten.

Our primary use case is mostly for monitoring security events. We have different endpoints, like router switches. It collects a lot of data and we create reports. 

We also use Enterprise Security to send alerts out. I'm still relatively new. I mostly work for the SPL side of things.

It has been really good at consolidating a lot of data from different sources. It's really good at generating summaries. 

It's exciting to hear that SPL2 is rolling out. We look forward to using that more, especially for the data ingestion part of things. 

In the context of apps, we use a lot of search and reporting. We create many searches and reports, that quickly summarize a lot of information. That's the part that I mostly look into. That has been very valuable. I also like the dashboards and visualization features.

Its ability to provide end-to-end visibility into our environment is important. It helps a lot, especially when other users or stakeholders want that information. So being a little more transparent, but being mindful of the compliance and rules associated with that. It makes it really easy to communicate with people. They want statistics fast. The ability to quickly pull it out without a hassle is very valuable. 

We use Splunk to try to reduce the number of random alerts sent out. We're trying to consolidate a lot of functions. That has been very valuable and helpful for us.

The logging system has been a great help to us. Sometimes when we try to integrate some functions, we're not sure what errors happened. We look into the logging system, and it provides so much information. 

These optimization examples have reduced the meantime to resolve. It has been reducing cutting time.

It definitely helps our business resiliency a lot. We have a specialized cybersecurity office and on-prem technology and they really like to use Splunk. It has been addressing a lot of concerns and it is able to output the data that people are looking for. It's able to predict and identify a lot of functions.

Splunk Enterprise Security has been a great help to us in consolidating our tools. It's definitely been pulling a lot of data, especially from the network side of things. We look at it for baseline security tests. Splunk has a lot of apps and add-ons that we have been using Enterprise Security for.

I currently use Splunkbase and some of the add-ons. Integrating into our apps has been very straightforward. It would be nice if Splunk provided a little more documentation and instructions on how to upload. The steps are short, but sometimes it's not so intuitive. It would be nice if there were more user-friendly help guides.

I have been using Splunk Enterprise Security for six months. 

It has been very reliable. We haven't encountered downtime that I know of. 

Splunk works with companies that are a lot bigger than us. We're medium-sized. I have faith that we can scale. 

For technical support, I look at the online community, which has been a great help. I haven't used Splunk support directly. 

The forum is easy to use. I would rate it a nine out of ten. Sometimes the response time is slow. 

Positive

I would rate Splunk Enterprise positively. I hear from coworkers that there could be tweaks. I would give it an eight out of ten.  

In the SPL default, everything's crunched together. The formatting could be neater. When I write it in the search head, it has a lot of information in one small area. It could have a friendlier user interface. 

We use Splunk Enterprise Security for 24-hour monitoring and security log checks.

It is easy to monitor multiple cloud environments with Splunk Enterprise Security. The visibility into multi-cloud environments is good.

We have some open-source tools integrated with Splunk that help with threat intelligence.

Even though we already have several SIEM solutions in place, their similarities make adopting Splunk Enterprise Security a breeze.

Splunk Enterprise Security helps speed up our investigations.

Splunk Enterprise Security is complicated in terms of developing specific cybersecurity use cases.

Our alert volume is still high and we are working on reducing those.

I have been using Splunk Enterprise Security for six months.

Splunk Enterprise Security is stable.

The technical support was responsive and knowledgeable.

Neutral

Compared to Sumo Logic which is organized, Splunk Enterprise Security is complicated.

While the deployment was straightforward, it took a few months to complete because we had to make customizations to fit our specific environment.

Splunk is priced similarly to other SIEM solutions.

We evaluated several solutions and selected Splunk due to the functionality and cost. 

I would rate Splunk Enterprise Security seven out of ten.

We're currently integrating our log sources with Splunk. Once logs are flowing, we'll deploy security monitoring use cases with alerts. We'll then explore Splunk's further capabilities.