Splunk Enterprise Security Reviews

We're using the solution for log analysis and our internal infrastructure. We may use it for customer offering at some point, but currently, it's completely internal.

The solution's most valuable features are the granularity and analysis of the logs. Once you learn the syntax, it's a great tool. These features are important to us because they enable us to drill down to certain users doing certain things and perform trend analysis.

I have been using Splunk Enterprise Security for well over a year.

We’ve had no issues with the solution’s stability.

We have 90,000 users and deal with massive amounts of data volume.

The solution’s technical support is fantastic.

Positive

We were using IBM's TSM backup tool and our own internal tool. We switched to Splunk Enterprise Security because we wanted to be more of a cloud-forward company and didn't want to host everything on-premises.

We installed the solution mostly by ourselves, but we did have a little help. We installed heavy forwarders at a relatively low cost. Since we already had a VMware environment, we just set up the VMs for the forwarding.

We have seen a return on investment with the tool in terms of seeing what users are doing.

Splunk Enterprise Security incurs a significant cost because of the amount of data we send, but we are fine with the value we're getting for that price.

The tool provides much more insight into what users and our apps do. We also use the solution to monitor a lot of machine-to-machine traffic.

We have a hybrid environment. All of our internal tooling is in our internal data centers, but we also have a big cloud presence for some of our other tooling and mostly for our customers. Speaking from the internal side, Splunk Enterprise Security has been fantastic in helping us find all kinds of security events every day.

Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data. The solution has helped us have everything in one place and grab everything at once. The tool has also helped us solve problems in real time. The Ops team will approach us when they are stuck with a problem ticket. We can look instantly, see what's happening, and track it down.

The solution provides us with the relevant context to help guide our investigations. This context information makes things easier and faster for us. We get more information about exactly what's going on.

Splunk Enterprise Security has helped us save around 50% of our time.

Splunk Enterprise Security has helped reduce our mean time to resolve by 50%.

Overall, I rate the solution ten out of ten.

We currently use Splunk Enterprise Security for security monitoring. Previously, we relied on AWS native monitoring tools. In that setup, logs were forwarded to a Splunk dashboard which was also used by our L1 and L2 support teams to evaluate incoming support cases.

CloudWatch, the native AWS monitoring tool, offers limited metric detail and a complex navigation experience across different data streams. In contrast, Splunk empowers us to create custom dashboards. This allows our team to quickly access the relevant dashboard and perform root cause analysis during an incident, streamlining our response process. This is how Splunk has been instrumental in enhancing our efficiency.

Splunk dashboards significantly improved our incident response by providing a single view of all relevant information. This allowed us to quickly identify and address issues. Additionally, Splunk's customization capabilities enabled us to tailor dashboards to focus on the specific metrics most critical to our operations. As a result, we could easily create dashboards highlighting high-priority metrics. Splunk's real-time data ingestion allowed for near-instantaneous monitoring. Logs generated in AWS were pushed to Splunk almost immediately through a collector. This enabled us to use the dashboard to investigate these logs in real-time. Furthermore, integrated identity and access management facilitated easy sharing of dashboards with other users.

Splunk itself may not have directly improved collaboration on security issues. However, in the event of an incident requiring investigation by a senior security professional, Splunk simplifies the process. L1/L2 teams and support engineers can easily point to the relevant dashboard connected to the issue. Additionally, these dashboards provide valuable features for further investigation, post-mortem analysis, or what they might call building the analysis or post-mortem report.

Splunk has been helpful for customers in resolving a wide range of issues. Whenever a problem arises, IT staff can quickly identify the root cause using Splunk. This allows for faster issue resolution, which in turn helps businesses retain customers and maintain their overall value.

The most valuable feature is the custom dashboard feature.

Splunk is robust and user-friendly.

Splunk's ability to analyze malicious activities scores an 8 out of 10, but there's room for improvement. By analyzing emerging patterns, Splunk could identify and predict potential threats more effectively.

I have been using Splunk Enterprise Security for three years.

I would rate Splunk Enterprise Security's stability 9 out of 10. 

Splunk Enterprise Security was able to meet our scalability needs.

We previously used native cloud monitoring. Now, we supplement it with Splunk to benefit from its additional features.

While the initial deployment was simplified by the availability of Splunk connectors in the public cloud, additional effort was required. We had to write the infrastructure as code, build the connector itself, pull the logs, and push them to the Splunk endpoint. These steps, including connection and configuration integration, would equate to moderate effort for a single person.

For those considering a SIEM solution but prioritizing affordability, Splunk is a strong contender. My experience using Splunk for several years has been positive, with minimal glitches. Additionally, its user-friendly GUI allows new users to contribute immediately. Splunk is also feature-rich, offering a wide range of functionalities out-of-the-box. However, remember that quality often comes at a cost. Considering these factors, Splunk emerges as a cost-effective solution.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk did not help us reduce our alert volume because it was not integrated directly for alerting. It was integrated for monitoring. The alerting happened from our native cloud.

Splunk is self-sustainable and doesn't require maintenance.

We have never needed to contact Splunk support because their documentation is good enough for us to resolve the issues ourselves.

Splunk Enterprise Security is a stable, feature-rich, and user-friendly product with a well-designed graphical user interface.

We use the solution to build correlation searches around insider threats and exultation of data. We also use it for DLP (data loss prevention) and to get more visibility on what's happening in our environment that could increase risk.

The solution's data aggregation has allowed our organization to unify a lot of inputs from various tools in one space and to be able to search from there.

The solution's most valuable feature is risk-based alerting, focusing on building out user risks for individuals throughout the enterprise.

It is important to our organization's security that Splunk Enterprise Security provides end-to-end visibility into our environment.

Splunk Enterprise Security's ability to find any security event across multi-cloud, on-premises, or hybrid environments is good. It's more about how you configure it and how well your company is equipped to provide and allocate resources to make the best use of the tool.

It has helped reduce our mean time to resolve.

The tool should include more real-world use case examples built out either through videos or in the community. These should not just be examples of how it can be implemented but of how previous solutions have been transitioned to new solutions and how they provide a different and better approach.

I have been using Splunk Enterprise Security for one to three years.

Splunk Enterprise Security is a very stable solution.

The solution’s scalability is based on the cost.

Splunk Enterprise Security is just a tool you can use, and then it's really up to the customer how they leverage it best.

Overall, I rate the solution a six out of ten.

Generally, we leverage it to correlate all of our threat intelligence data with all of our log events to make researching them simpler.

Splunk Enterprise Security gives us a lot more visibility into the entire enterprise and makes our analysis simpler. It streamlines the process and makes it easier to handle it.

It is very important for us that Splunk Enterprise Security provides end-to-end visibility into our environment. It saves us all the time where we used to have to go from tool to tool to tool to track down issues. Splunk Enterprise Security has tenfold reduced the amount of time it takes to investigate any one thing.

Splunk Enterprise Security simplifies being able to pivot from one data point to everything else, and it does not matter where in the pipeline that occurred because you can see it all.

It has helped improve our organization’s ability to ingest and normalize data. It has been very impressive how it is able to handle all of that for visibility and tracking things down.

Splunk Enterprise Security has not yet helped to reduce our alert volume. Our alert volume has increased at this point because we are still getting used to it, but I see how it can reduce the alert volume.

It provides us with the relevant context to help guide our investigations. The biggest part of it is that when we go through the alerts and the notable events, we are able to pivot to information from data sources that are not necessarily in Splunk, and we are able to run the automated response actions.

Splunk Enterprise Security has helped reduce our mean time to resolve. I do not have the metrics, but it is a decent amount.

Every process has been streamlined. Things for which you have to bounce between multiple tools can be done in one place, which in its nature speeds everything up and reduces the manpower.

Correlation search, in general, is valuable because it allows us to search multiple data sources easily.

The main issue that I have with it is that the field transformations sometimes overlap with those in Splunk Enterprise, and then you get permissions issues that lead to troubles.

I do not have any additional features that can be included. From what I gather, Mission Control is already included in the next release, as is a lot of the Cisco threat data.

I have been using Splunk Enterprise Security for about five and a half years.

It is quite good.

I have not experienced any issues with the scalability, but I do not handle the scaling, so I cannot speak to that.

I do not have to deal with them, so I do not have any information. Our administrators handle that side of things.

I did not. We acquired Splunk around about the same time I joined the cybersecurity team. 

I do not handle the administrative part. I am more of a user.

In terms of the deployment model, I believe it is technically a hybrid deployment. I am not involved in the architecture, but I know we are not exclusively cloud and we are not exclusively on-prem. We use AWS.

I know we had Splunk Professional Services for the deployment, but I was not involved.

I do not know what the cost is, but I would imagine we have seen an ROI because we are able to run our security team with fewer people than previously.

I do not know what we evaluated because I came to the company at the same time we got Splunk.

I would rate Splunk Enterprise Security an eight out of ten. It is an amazing tool that provides so much visibility and streamlines so much. The main issues I have encountered with Splunk are the difficulties in configuration and keeping everything up to date as the data sources change.

We use Splunk Enterprise Security to monitor our environment.

The threat intelligence and monitoring of Splunk are good. 

We have integrated Splunk Enterprise Security with ServiceNow so whenever there is a detection it will automatically raise a ticket and send it to the appropriate team for analysis. The integration was seamless.

Splunk has helped reduce our alert volume by 20 percent and sped up our security investigations.

It does a good job detecting threats fast.

Splunk's reporting functionality would benefit from enhanced customization capabilities, allowing users to tailor reports to their specific needs for better data visualization and analysis.

I have been using Splunk Enterprise Security for one and a half years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The initial deployment was straightforward.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security ten out of ten.

For reporting we don't use the Splunk dashboard, we use Tableau and Power BI.

I would recommend Splunk to others.

While Splunk Enterprise Security offers robust features for large organizations, its cost might be prohibitive for smaller businesses. To address this, I recommend exploring open-source SIEM solutions for small and medium organizations and Splunk for larger organizations.

I am the branch chief. I use Splunk Enterprise Security depending on how swamped the team is. I use it for anything from basic searches to DDoS attacks, which is a big thing right now. So, DDoS attacks and phishing emails are a lot of what I am using it for.

We had FireEye before and then we went to CrowdStrike. Splunk has definitely helped to have everything into the tool. It is a lot easier to complete the tickets. It saves, on average, a couple of hours a day. We just go to Splunk and then provide data and work with different people on the tickets, so it saves hours each day. We have been able to allocate these hours to other projects or things that are more of a priority. We are able to do different projects that were on the back burner. We can put those hours towards other things.

Splunk has improved our organization’s business resilience. We are able to give leadership updates through dashboards versus the actual metadata. It is easier for them to understand and provide leadership.

Splunk’s ability to predict, identify, and solve problems in real-time is very good. It is proven. Every couple of weeks, it catches some of the things that our SOC team did not catch and provides alerts, so its real-time capabilities are very good.

Our team has overall benefited from Splunk. We had FireEye before, which was not that good. We are able to benefit from Splunk not only in terms of instant response. We also have other teams doing vulnerability management using the Prisma systems. It is important that Splunk provides end-to-end visibility into our native environment. We use it for Prisma and instant response. Without Splunk, we would not be able to do some of the things that we need to do unless we went to individual tools, and we do not have the resources for that.

Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me.

They offer training. That is a big part of it. If you do not understand the tool, they are able to provide everything that you need, which helps the business. When you have learned a tool, you are able to speed up the process meantime, so you are not wasting a lot of man-hours trying to figure things out. 

I do not have any areas that can be improved. It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit. 

In terms of additional features, I am still learning SOAR and everything else, so I do not have any feature requirements at this time, but as we do these SOAR operations, there might be some additional features that we will need.

I have been using Splunk Enterprise Security since 2016.

It is very good as long as you have the scope of how many servers, processors, and other things you need. There was a learning curve of making sure our servers were beefy enough to handle the data. We had four terabytes of data coming in every day. We were maxing out our systems a little bit, so we beefed that up, and we have had no issues since. 

Its scalability is easy. On-prem was very easy, and on the cloud, you have to learn and adapt a little bit, but scalability is perfect. 

I only reached out to our Splunk contacts, but my team reached out to Splunk's support team. I have not had any issues where they told me that they did not get the support they needed. They might take time to figure out what the issue is, but overall, I would rate their support a ten out of ten. 

Positive

We used FireEye, which was our primary one, and then we had CrowdStrike. Splunk has definitely been wonderful for us. The biggest reason for switching was integration. It is very easy to get all the tools fed into Splunk. They also had a cloud version, which was another reason. We are doing a hybrid setup, so cost savings was also a big factor.

I was involved in its deployment. I am the system owner of it. I am in charge of it, so I oversaw the project deployment. There is a learning curve with the hybrid setup with the cloud and on-prem, but overall, I am pretty satisfied with it.

We have an on-prem and a cloud environment depending on the platforms we are using in the system, so we have both environments. The challenging part was getting everything set up and fed into Splunk, but once it is set up, there is no difference in using it on-prem or on the cloud. We do not notice any real difference in it. 

The initial setup could be improved a little bit. It depends on your local team, firewalls, and other things like that, so there was a learning curve for the teams to learn how to set it up. That part could be improved, but once you go through it, it is not an issue. 

We had the Splunk team, and they did wherever they needed to get everything deployed. Our experience with them was good. We have worked with Splunk for years now. Their support has been very beneficial. If I have a question, they jump right on and let me know. They walk me through it and give me updates, so I am pretty happy with Splunk.

We have seen an ROI in terms of the mean time to resolution and man-hours. We are able to allocate those hours to other things. We have not got there yet in terms of the upfront costs, but we will get there over time.

When it comes to the time to value, we are getting there. We have not got there yet, but over time, we will get to the time to value.

Its price is fair. Like with anything else, if you go into the cloud, different providers cost more, and you are able to throttle back or throttle up. The cost is comparable with anything else.

We evaluated other options. We had to evaluate the pros and cons in terms of the cost and the capabilities of each tool. A lot of that went into the proof of concept. We did our due diligence and determined that Splunk was the best fit for us.

I would rate Splunk Enterprise Security a ten out of ten. It gives us everything we need, and its capabilities keep on improving, so it is getting better. 

We use Splunk to monitor unusual user behaviors. For example, if any user onboards from a different domain, it will trigger an alert. We also get alerts and high traffic when the ADI server is down. Splunk will monitor that behavior or when users make repeated wrong login attempts.

My full-time job is managing the IAM product. Splunk is one of our security monitoring tools. Most of my work is on IAM tools like CyberArk and SailPoint, etc. 

Splunk manages all of our security and maintains a hundred percent availability. It improves business while securing the entire cloud environment. In terms of business, we don't need manual monitoring. It automatically monitors and notifies an administrator, so we can easily track and identify the particular issue. It saves our employees' time, and we can manage the environment without any impact on business service.

In the UK, hackers use automated software to make repeated login attempts. Splunk immediately identified these attempts and notified the admins, so the red team suddenly took action to block them.

It's nonstop monitoring that isn't affected by business hours. You don't need a manual administrator. Splunk will monitor everything, and a single administrator can monitor the alerts. Splunk will notify us if any unusual behavior happens, allowing us to take immediate action. There's no need for any further investigation and log analysis. It provides the exact result, what happened, and where it happened. 

Splunk helps us reduce alert volume. Whenever the same type of attack occurs repeatedly, we can change the environment and improve the security so the attack won't repeat. 

It speeds up our investigations through automation. Investigating manually takes a long time, and we sometimes cannot identify the exact issue. Splunk monitors the data and events, so we configured a range. If it triggers that area, it will provide the exact result. We can immediately identify and fix it. There's no need to investigate. It reduces the mean time to resolve by 80 percent. 

Splunk is user-friendly. We can easily customize the monitoring script. We support a multi-cloud environment covering Windows Server, AWS, and Google Cloud. We also use ForgeRock to monitor Linux machines. It sends us alerts when the disk size gets full. When an employee logs in from a different region, it triggers an alert. 

Splunk isn't appropriate for smaller companies. It's too expensive.

I have used Splunk for two years.

Splunk is a highly stable product. 

I rate Splunk nine out of 10. When we have any questions, we raise a ticket and they respond in two or three hours. 

Positive

Splunk provides the tenant, and we can directly integrate it into the cloud URL. For the hosting, we can deploy it to the EC2 instance. Splunk is integrated with Cypress, CyberArk, and Fastdesk. Splunk also supports SAML integration. Splunk is a SAML application, so we can use SAML protocol to enable it. 

I rate Splunk Enterprise Security nine out of 10. 

Our primary use cases are for detection and remediation.

The benefits we've seen from Splunk is that we can promote it to our customers. The second benefit is that it works. It does what it's purported to do, and the support is more than adequate. 

The most valuable feature is that it brings all of the components necessary to identify, analyze, and respond together.

It's pretty important that Splunk provides end-to-end visibility into your environment. As in any product that one purchases to fulfill a function, we want to recognize where it came in, who it affected, and what the challenges are that need to be met in order to resolve something, both immediately and also to make sure that it doesn't replicate in the future. Splunk does a good job of being able to do the former half. Dealing with issues requires tier-three support and above and it takes time. You can work through it with the help of your vendor team.

I would rate them an eight out of ten. It's not so much the problem of the application itself, although there are always improvements that can be done. There are a lot of moving parts that need to be added in and if you don't have the information that you need, especially within identity and inventory, then that can be an added challenge when you have to start making imprints based on what you do know.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There are a number of different standards that can be presented, which is beneficial. Some customers like to have the information that they receive in one format. The driving factor is that when you work with federal customers, some of them want it in one format. The response will be in one format as opposed to another. 

Splunk has helped to improve my company's business resilience. It's an active component in ensuring that we are vigilant against intrusion and detecting it.

Splunk is such a large product. Allowing it to be more easily used by people who have not had a lot of training on it would be an improvement. That's something that they're accomplishing with their current version, although I haven't had an opportunity to learn much about it. With AI capabilities coming on board, a lot of that will alleviate the minutiae that people need to know in order to resolve problems as they come up.

Splunk's ability to predict, identify, and solve problems in real-time is a work in progress.

I have been using Splunk Enterprise Security for the past four years.

Aside from the fact that it can be a resource hog, I'm satisfied with the stability. I don't have too many problems except for a few occasions when we have a threat intelligence file blow up a drive because there's not enough room. It might be because a complete configuration has not been implemented. 

I like the fact that it can be tweaked, but a lot of the various configurations for how long data is held or how long particular components of investigation are held. 

I encourage users to use the vendor management team and cultivate a relationship with them. I have worked with companies who had support that I would rate 11 out of 10. I would rate Splunk an eight out of ten because as any large growing company, they have challenges with keeping the talent necessary, who are not only educated to evaluate a problem and pass it on or solve it themselves.

Positive

The largest challenge with the setup is that it has so many different components. The environment that we're in is a multi-tenant. Enterprise Security with all of its components is huge. If you're using something like a deployment server you can't break it up. It makes it rather unwieldy. I'm sure that there are workarounds that have not been implemented in-house.

Splunk provides more than the people who pay for it realize. I had a few exercises in presenting ROI and benefit-cost analysis and I have been able to demonstrate where it has performed superior to other options.

I was deeply distressed when they went away from their perpetual license.

We evaluated Splunk's typical competitors. We went with Splunk because Splunk has the underlying capability of not only ingesting anything and storing it using their bloom filters and whatnot in order so that you can do sparse and large searches relatively quickly. It also has a wonderful presentation layer, which can basically plug into many other systems. I find Splunk to be a veritable Swiss Grey knife of capabilities.

I would rate Splunk Enterprise Security an eight out of ten because there's always room for improvement and because it can be difficult to learn.