Splunk Enterprise Security Reviews

We have integrated different tools to get files from various types of endpoints. We also have Check Point. There are a few Windows use cases for brute force and code block attacks, and we use Splunk to detect when a user is logging in from another country where we don't do business. Splunk is integrated with our AWS environment, so we ingest logs from Amazon CloudTrail, GuardDuty, and other solutions. 

Without Splunk Enterprise Security, it would be difficult for us to manage and prioritize alerts. There's a potential to lose track of important notifications, and it's essential to our security that we do not miss anything. Splunk has improved our investigations because the reporting and dashboarding make things so much easier.  We can provide weekly or monthly reports. I also like Splunk's ability to integrate. 

We can fine-tune our alerts to reduce false positives or low-priority alerts. It reduces the time our admins spend on responding to alerts by one or two hours weekly. We can alter the policies, do geoblocking, and add certain applications and IPs to our allowed list. 

Splunk covers our cloud and on-prem environments. We were exclusively on-prem, but we are slowly moving into the cloud. Our developers can customize investigations by adding multiple interesting fields and aggregate those details in Enterprise Security by using the appropriate SQL queries.

We use Splunk's threat intelligence management feature, which provides insight into how business decisions can make an organization vulnerable to cyber attacks. All of these things fall under tactical threat intelligence. For example, it can tell us if someone is accessing our organization's API. 

We have integrated all our tools so that we can monitor any alert type, but we use Splunk primarily for investigations. We're ingesting audit, security, application, and Windows logs. Once we get an alert, we go to the tool and investigate further

Splunk uses the MITRE ATT&CK framework, giving us new tactics and techniques based on issues observed in other businesses and industries and helping us to address novel threats to our network. MITRE ATT&CK is highly useful. 

It's a little difficult to archive data in Splunk for longer than six to eight months. Integration is more challenging compared to other tools we've used, such as LogRhythm. 

Integrating tools and creating use cases could be easier. It's hard for a junior security engineer with only a couple of years of experience to write use cases. They can do it, but it's much easier in a solution like IBM QRadar. Setting conditions is like a multiple-choice type of thing. It's a more user-friendly process. 

We have used Splunk Enterprise Security for nearly a year. 

I rate Enterprise Security nine out of 10 for stability. Splunk is solidly stable. We've rarely experienced a crash requiring us to rebuild cases. 

Our organization has around 1,000-1,500 groups, and Splunk works fine for us. 

I rate Splunk support nine out of 10. Their support team is excellent. We schedule calls with them when we have issues. They typically rectify any problems in eight to 12 hours. At most, it will take a week to fix an issue. 

Positive

I have worked with LogRhythm, and I think Splunk's interface is much better. It's more attractive and has a more interesting feel, so I think it makes things easy for our analysts.

I rate Splunk Enterprise Security eight out of 10. Splunk is useful for compiling all types of logs for investigation and monitoring purposes. I can recommend Splunk for people if they are comfortable with the deployment and integration. While integration is easier with solutions like QRadar or LogRhythm, Splunk is better for everything else. 

My use cases are SIEM basically, which means using Splunk Enterprise Security as our SIEM effectively. We are taking all of our data from on-prem and some of our cloud services and importing them into Splunk Enterprise Security, then creating and generating alerts and reports based on some of our security use cases.

What I appreciate the most about the product is the flexibility with data ingestion and searching, which is very powerful; you can do whatever you want with it. We were able to see its benefits pretty much right after we got it implemented.

The UI sometimes can be laggy and not responsive. Additionally, some places need to be refreshed from a UI visual standpoint; I think they're starting to get better at that. Splunk Enterprise Security has come along much better since when we started looking at it.

We use the cloud version, the Splunk Enterprise Security Cloud version, so we don't have access to a lot of the back-end functionality. Not having used it on-prem and just going straight to the cloud means there are some nuanced differences in how things are managed. If you look up documentation it says, 'You need to update this file,' and I cannot access that file. The translation between on-prem and cloud for some of the configuration elements needs clarification.

I have been using it for a year and a half.

Stability and performance are pretty good for the most part, with only the UI lagging sometimes. Depending on the screen, it can take a while to load.

Regarding scalability, it's hard to really say as we haven't had to build out anymore since implementation. However, we've been able to input most everything into it, and we don't have to do any rescaling as it happens automatically, which is beneficial.

I have contacted their technical support, and they are pretty good for the most part. There have been a few times when things were prolonged, but overall, the support has been good.

Neutral

I have not used any alternative solution.

The initial deployment was pretty easy for our company. It took us three months to fully deploy it, and we are maturing as we've been progressing. We have had many transitioning use cases, but getting the data in was pretty straightforward.

Splunk Enterprise Security doesn't require much maintenance on our end, just patching and occasional app updates. Most of it is just configuration work and not application updates, which is beneficial.

Our whole team manages it right now; it's not a one-person job.

I am somewhat familiar with the pricing. Generally, it seems expensive, though I don't think it's the most expensive option. Sometimes it can be confusing to determine the best way to utilize everything based on our pricing tier.

I would rate Splunk Enterprise Security an eight out of ten.

My main use case for Splunk Enterprise Security is centered around threat detection and incident response. I’ve configured correlation rules and alerts within the SIEM to proactively detect suspicious activities. The environment includes multiple servers and security devices from which I collect log data using forwarders. These logs are ingested into Splunk, parsed, and analyzed to identify anomalies, security issues, and performance concerns. This setup helps streamline investigations and reduce response time to potential threats.

Splunk Enterprise Security has significantly improved our organization by centralizing log management, enhancing visibility into security events, and enabling faster detection and response to threats. The customizable dashboards, real-time alerts, and powerful correlation capabilities have streamlined our incident response process and reduced investigation time. It has also helped us meet compliance requirements more efficiently by automating reporting and audit trails.

Splunk Enterprise Security’s most valuable features include its powerful log aggregation from diverse platforms, flexible search and correlation capabilities, and customizable alerting system. It allows me to collect logs from virtually any source—servers, firewalls, cloud services—and create custom rules to generate meaningful alerts. The flexibility of Splunk’s Search Processing Language (SPL) makes it easy to build tailored dashboards, identify threats, and quickly pinpoint the root cause of issues, significantly improving operational efficiency and threat detection accuracy.

While Splunk Enterprise Security works well overall, improvements could be made in user management—particularly around simplifying role-based access controls and troubleshooting user account issues. Additionally, future releases could benefit from:

Improved UI/UX: A more intuitive interface for new users and simplified dashboard customization.

Built-in Use Case Library: More out-of-the-box security use cases and alert templates to reduce setup time.

Cost Optimization Tools: Better native tools to monitor and manage licensing usage and storage costs.

Enhanced Cloud Integration: Streamlined and more secure integration with major cloud providers for hybrid environments.

These enhancements would make the platform even more user-friendly and efficient.

I have been working with Splunk Enterprise Security for about two years.

I previously used Dynatrace and open-source tools like SigNoz. While Dynatrace excels in application performance monitoring, it requires an additional license fee for server-side log collection, making it less ideal for centralized log management and SIEM use cases. SigNoz, being open-source, offers basic log management but lacks the depth, scalability, and advanced threat detection features of Splunk Enterprise Security. I switched to Splunk Enterprise Security because it provides a comprehensive, all-in-one solution for security monitoring, log aggregation, and real-time alerting, which better fits enterprise-level security needs.

The initial setup of Splunk Enterprise Security was straightforward. I followed publicly available documentation, which was clear and easy to understand. The installation and configuration process went smoothly without any major issues. From initial setup to full deployment—including log collection, rule configuration, and dashboard setup—everything was completed in about two days, demonstrating how well-documented and accessible the deployment process is for users with a solid technical background.

I would rate Splunk Enterprise Security an eight out of ten.

There are a lot of use cases for Splunk Enterprise Security. The main one is when you are trying to detect an authentication attack. There are lots of people trying to get access to a system, so they are constantly trying to authenticate. Splunk Enterprise Security can quickly detect that through its correlation engine. If there is a specific attack of the anomalous amount of users trying to log into a system, it generates an alert. Our SOC is then able to analyze that alert and determine whether it is a false positive or a true event. If it is a true event, they can work towards containing that attack. If anything is a success, they can quickly provide that information to our incident response team.

The benefits that we have seen from using Splunk Enterprise Security have been faster response time and faster enrichment of information so that the analyst can act and respond in a more timely and efficient manner, which then provides more information to leadership, such as myself. We are then able to respond. We know how to present risks and how efficiently our SOC is doing to our senior leaders. There is a 30% to 40% improvement because, with the system we had before, the capability of figuring out what was going on to analyze the event was cumbersome. Splunk Enterprise Security has driven and given analysts the ability to analyze a lot more efficiently.

Splunk Enterprise Security provides end-to-end visibility into our environment. It is very critical for us.

Splunk Enterprise Security helps us find any security event across multi-cloud, on-premises, or hybrid environments. It helps in all of this. We have multi-cloud environments. We have all four main cloud environments. We also have our on-prem environments. We have also set up a hybrid environment. It has improved our ability to detect and find needles in the haystack that we were not able to see before. There are lots of things they have been able to detect. People were installing things and misusing AUP violations that we were not able to see before.

Splunk Enterprise Security helped reduce our alert volume with the implementation of risk-based learning. When you are doing risk-based learning, you can definitely reduce the volume, but initially, when you move from one SIEM to Splunk Enterprise Security, you do not really reduce volume. You are generating more. Because you are getting better visibility, you are generating more information for the analysts to look at, and then over time, as Splunk Enterprise Security and the team learn the environment, you are able to tune down and then use the risk-based alerting to help reduce a lot of false positives.

Splunk Enterprise Security provides us with the relevant context to help guide our investigation. There are limitations, which is where Splunk SOAR helps with the enrichment of the information, but it definitely provides good context. In the notable alerts, it provides a lot of key information that you need, and then there is the ability to drill in to see what the actual events were, so it really helps.

Splunk Enterprise Security is efficient at predicting, identifying, and solving problems in real time. With the correlation rules, the ability to have adaptive responses, and the ability to tie in even machine learning into that, we are able to do real-time analysis and quickly gather and detect.

Splunk's unified platform helps consolidate networking and security tools, but sadly, our organization does not use IT observability tools. We are purely from a security perspective.

It has so many features. The incident review pane is the best part of it because that is where the SOC lives. It is the heartbeat of what the SOC needs to do. You are able to start the investigative process. As you are sitting in the incident review pane, you see the alert, and from that one alert, which is called a notable alert, you can drill in and see all the different specific details that are tied to that. You then have adaptive response action that can be taken automatically on that, or you can even drill in to look at what events drove that alert to be created. You can then start doing more hunting and querying that way. There is so much information contained in the notable alert itself in that panel. It helps to drive the direction of where the engineer should go.

I am looking forward to seeing what is coming out in the new release that was announced, but case management is an important thing. Being able to have a one-stop shop where you have the alert, but then you can generate the case right there from Splunk Enterprise Security instead of having to pivot to another tool such as Mission Control. You do not have to keep bouncing between them, so if you could do it all in one place, that would be great. The new release is supposed to start getting in that direction.

I have one environment that has been using Splunk Enterprise Security for two years in the Splunk Cloud. I am currently in the process of migrating my on-premise corporate environment to Splunk.

At this point, Splunk Enterprise Security is very stable.

It is very scalable. Particularly, when you do search and clustering, you are able to scale rapidly to be able to meet the demands of what is needed for your SOC. The data model setup helps to quickly drive and get rules created without having to need a new data source or a new rule. You just send that new data source to one of the data models, and you already have the rules there, and it automatically starts generating alerts based on those existing rules.

I would rate their support a seven out of ten. Sometimes, you get some solid people, but other times, it takes a bit of effort to get across what the actual issue or situation is. This is a challenge for any help desk organization particularly when you have lots of customers calling in and all of them with unique situations.

Neutral

We were using another tool previously. There were many reasons for switching. One big reason was the ease of integration of data into the tool. With the previous tool, to integrate a normal log source, such as an identity access tool, into the SIEM, we had to pay for PS engagement in order to even get the information in. Splunk has native integration with all these different apps. It is natively tied to all the different IDAM and ID tools out there. It is very easy for the team to implement it themselves. They do not have to go and get extra help to do it. They can install the app, get the keys and authentication set up between the two new tools, and then it just works.

Our deployment experience was just fine. I deployed Splunk at other companies before, so it was not new to me to do it with this company. The pricing and everything else went smoothly. The Splunk team was super helpful. They were very engaging. They helped to build it. We were able to get access to Splunk engineers who worked for Splunk, and they helped define the sizing. They went through and evaluated what our current solution was and helped us build out what we needed in order to meet and exceed that capability. Splunk has been super helpful.

For one environment, I am using the public cloud, and then for my other environment, I am using an on-premise setup. We have the AWS cloud.

We did use professional services to help with this. At my previous company, I would not have used professional services because I had a team of Splunk architects who knew what they were doing and knew how to do it. In this company, we were moving from a different technology to Splunk. My teams were not as familiar with Splunk, so I needed the extra help. We had the help of Splunk professional services and third-party professional services. We used Verizon.

The environment that we had set up has been running for two years. I had planned that initially for a certain amount of growth, but within the first year, we had already doubled the size of the data. It was able to handle the information so much more efficiently that a lot of the groups that were not integrated into the SIEM before started saying that they needed their data monitored as well, so we started growing quite quickly. It has helped us exponentially.

I evaluated several SIEM solutions before choosing Splunk. With Splunk, we had the ease of integration of data because getting the data in as quickly as possible and making use of it is important. Another area is that in certain tools, you have to generate one rule per data source, whereas Splunk has the data modeling capability where you have all the data sources going into the data model, and then you create one rule per data model instead of per data source. It helps reduce the workload for the system, so there was that aspect of more performance than any other solution.

I would rate Splunk Enterprise Security a nine out of ten. It is a market leader from an SIEM perspective. It has bells and whistles, but it does not let you get lost in those bells and whistles. It helps drive the analyst into what is the most important thing that they need to focus on, and that is protecting the company. They are able to be more efficient. They are able to help do what the mission of the company is, and that has enabled the company to not worry about the security part. Without a risk, they are able to do their business and help their customers.

I use Splunk for visualization, reporting, monitoring, log aggregation, and other security purposes. We gather various logs into one place and analyze them based on specific business use cases to get high-level insights that inform decision-making at every level of the organization. We also use it to aggregate other IT logs — not just security. 

Our organization is working in a massive on-prem environment. We're one of Splunk's oldest clients. It's convenient to migrate everything to the cloud, and we would have more flexibility. However, we currently have our resources and everything established to use Splunk on-premises, so we aren't switching to a cloud environment.

Splunk allows us to monitor logs and track suspicious activity in real time. With the help of the SOAR platform powered by AI and ML, we can respond quickly. Our security posture is better, and we can resolve security incidents quicker. Splunk has improved our visibility by providing critical security metrics in our dashboard and strengthened our security controls. 

The number of alerts we receive is similar to what we saw using our previous solution. While it hasn't necessarily reduced our alerts, Splunk is improving our resolution time and overall security.

I like Splunk's automated threat detection and orchestration capabilities. Splunk offers a single solution for analyzing, aggregating, correlating, monitoring, reporting, visualizing, etc. You can get all of these capabilities in one place. On top of that, it provides a cloud, testing, on-premise, and hybrid solution, giving customers more flexibility for their use cases. 

Splunk's real-time monitoring is one of its best features.  The user interface gives you a single dashboard to directly view all the high-level information. The security incident monitoring and investigation page is also very helpful. You can document an investigation step by step. Many investigators can work on a single incident also based on their shifts. Everyone can add notes on the investigation page. 

The incident response features are based on real-time data. The monitoring team can immediately take over an incident and prioritize tasks based on risk scores. We can assign multiple technicians to one security incident based on their skill, improving resolution time.  The incident review dashboard provides many useful details, like the indicators of compromise and risk scores.

We can get threat intelligence from multiple platforms, including the latest known IOCs, to support our response to security incidents. We store the threat data from various sources in a centralized place, and it updates every six to 12 hours. 

The MITRE ATT&CK framework feature is helpful for understanding which phase an incident is in and what the next steps are so a technician can prevent it from progressing. It gives us a detailed overview of other tactics it might be associated with, enabling us to stay vigilant. We can correlate with other simultaneous or sequential incidents and take action to strengthen our security based on these incidents.

We've sometimes faced issues with upgrades. The incident review dashboard sometimes breaks after updates. When we add a space or something in the description or anywhere in the SQL, the drill-down value may be reset with a blank value. Before rolling out any software, they should test it thoroughly and ensure clients won't have issues with the upgraded version. It should be compatible with all or most of the apps. All major issues must be addressed before rolling out the upgrade.

I have used Splunk for eight or nine years. 

I rate Splunk nine out of 10 for stability. 

I rate Splunk eight out of 10 for scalability. Scalability is always a challenge. The larger your environment, the more issues you'll have. There aren't many problems with Splunk on the cloud, but scaling can be challenging in an on-prem environment. If you're ingesting a significant volume of data, you need a proper maintenance routine to maintain your base architecture. Sometimes, it's a bucket application. It can take a few hours to reset those things, and network issues might contribute to that. 

I rate Splunk support eight out of 10. It varies based on your data volume and number of licenses. 

Positive

I have used several solutions for different clients, including QRadar, Palantir, and Microsoft Sentinel. Splunk has more capabilities than QRadar. It's also more flexible and user-friendly. You can modify and customize the solution to show you the information you want.

The deployment depends on the environment. It may take only a couple of weeks to deploy Splunk in a small environment, but a larger environment involves a detailed process that may take months. It helps to have a larger staff. It also depends on how process-oriented an organization is. Some organizations will take much more time in the planning and design phase. 

After deployment, Splunk requires a good deal of maintenance, depending on the volume of data you're ingesting and your user base. It may require multiple resources to manage this environment. 

Splunk improves our security controls, resolution time, and threat-handling capabilities. We're saving time and resources, meaning more money for our clients. 

I don't know about Splunk's pricing because I work on the technical side, but I know it is a costly platform. There are cheaper products and some open-source ones, but Splunk costs a lot because of the features it provides. Still, the pricing is a concern for many of my clients, and more would use Splunk if they lowered the cost a bit. 

I rate Splunk Enterprise Security nine out of 10. I would recommend Splunk because it covers multiple services in one place. It also has a strong developer community. You can easily get help from community support. Splunk is a versatile product that competes well with leading security tools like Microsoft Sentinel.

We use Splunk for monitoring and investigation and recently integrated it with ServiceNow. It's a SOC tool, and any malicious activities on the client's side trigger an alert here. 

Splunk has improved our operations by giving us access to more information and allowing us to deploy more use cases. We have integrated Splunk with ServiceNow, so the information from the queries running on the back end is now directly forwarded to the analysts, reducing the manual work. We are pulling data from Splunk into ServiceNow, so the security analysts have all the user details to conduct their investigations. 

It's easy to monitor multiple environments with Splunk. The cloud model is better than the previous on-premises version. The custom dashboards are helpful. We have created multiple dashboards for user activity, logins, phishing, etc. If you miss an alert, you can check the dashboards. For example, if you need to check some user activity, we have a dashboard for Azure Active Directory, and Mimecast is integrated for monitoring email-based attacks like phishing. It throws the information up on the dashboard when we get an alert.

The monitoring aspect of Splunk could be improved. We have to do some queries to get as much information as CrowdStrike or other solutions provide. If you run a big query, you will see a delay. That is the only concern we have because it will take some time if you query large data sets. 

I have used Splunk for more than three years.

I rate Splunk 10 out of 10 for stability. 

Splunk is a highly scalable product. 

I rate Splunk support 10 out of 10.

Positive

Deploying Splunk is somewhat complex, and it requires maintenance afterward. 

Splunk is expensive based on our current requirements, but it's obviously worth what we pay. 

I rate Splunk Enterprise Security nine out of 10. I see Splunk as a monitoring tool, not as a security tool. It provides alerts, and we conduct an analysis and investigation based on the information we receive. I believe having another sandbox integrated with Splunk will be helpful for the investigator.

I utilize Splunk Enterprise Security to gather logs, and subsequently, I provide the team with access to the servers through a change management ticket or incident. I wasn't involved in the installation process during my tenure as a Windows server lead. I also verify whether all our actions adhere to the compliance framework.

Our deployment of Splunk Enterprise Security was all on-premises.

The visibility that Splunk Enterprise Security provides is beneficial and valuable.

Splunk Enterprise Security helped analyze malicious activities.

With Splunk Enterprise Security we were able to detect threats faster.

Splunk Enterprise Security contributed to a reduction in alert volume as our employees became aware of being monitored and ceased accessing the server without proper authorization.

Splunk Enterprise Security has significantly accelerated our security investigations by centralizing all log data and enabling us to quickly retrieve the necessary information through simple queries.

The most valuable features are the logs, which allow us to identify what happened and who interacted with the web repository.

Some of the queries are difficult to run and have room for improvement.

I am currently using Splunk Enterprise Security. 

I would rate the stability of Splunk Enterprise Security ten out of ten. We have never had an issue with stability.

Splunk Enterprise Security is scalable.

Splunk Enterprise Security's resilience is a valuable asset.

Organizations seeking a more affordable solution should first carefully evaluate their specific business requirements. While cheaper alternatives exist, they may lack the necessary features to adequately address their security needs. In such cases, Splunk Enterprise Security could be a more suitable option.

Splunk Enterprise Security is a worthwhile investment given the comprehensive range of features it offers.

I would rate Splunk Enterprise Security eight out of ten.

I recommend Splunk Enterprise Security.

We use Splunk Enterprise Security to identify and resolve critical issues and errors within our environment.

The visibility that Splunk Enterprise Security provides is good. We can easily find the data we need using the logs.

Monitoring multiple cloud environments using Splunk Enterprise Security was not difficult.

Splunk Enterprise Security's insider threat detection capabilities enable us to effortlessly identify unknown threats and anonymous user behavior.

Splunk Enterprise Security helped us analyze malicious activities and detect breaches between 50 to 90 percent faster.

Splunk Enterprise Security has helped reduce alert volumes by up to 90 percent.

Splunk Enterprise Security has helped speed up our security investigation time by almost 90 percent.

The most valuable feature of Splunk Enterprise Security is the comprehensive logging capabilities it provides.

The price of Splunk Enterprise Security is high and can be improved.

Given the ever-increasing number of threats, I would like Splunk to update its threat signatures more frequently.

I have been using Splunk Enterprise Security for one and a half years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The resilience of Splunk allows organizations to protect their data and resolve vulnerabilities quickly.

The technical support provides good resolution.

Positive

I had previously used Loggly, developed by SolarWinds and Elastic. However, I found it to be inaccurate and slow. Elastic offers a free version of its solution, which is more commonly used by smaller businesses.

The implementation was completed by a third party.

Splunk Enterprise Security is expensive. I would rate the cost an eight out of ten with ten being the most expensive.

I recommend Splunk Enterprise Security over cheaper SIEM solutions because of its offerings.

I would rate Splunk Enterprise Security nine out of ten.

Splunk Enterprise Security does not require any maintenance. It is plug-and-play.

I recommend Splunk Enterprise Security for organizations that want to detect threats quickly.