Splunk Enterprise Security Reviews

Our primary use case is to find brute-force attempts on our systems. 

We use it for security purposes, to find malicious activity, and to find misusage of our business platform.

The main benefits we have from Splunk Enterprise Security are the alerts with which we can manage the searches and the notables which can be good for documentation.

Identity management is the most valuable feature. 

Its ability to find any security event across any environment is useful if you use the risk parameter. If it can correlate with an identity or an asset, then correlations between such events are up to the analyst. 

Splunk Enterprise Security helped improve our organization’s ability to ingest and normalize data.

Splunk helped to reduce our alert volume by 53%. We work based on an on-call process. The analyst who is on call can use Enterprise Security to see what alerts they have and work from there.

If you load it correctly, Splunk will provide us with the relevant context to help guide our investigations. It made it easier. 

Splunk Enterprise Security helped improve our organization's business resilience.

In terms of its ability to create, identify, and solve problems in real-time, if the problem arises, we can go and look at Splunk, but if it's happening in real time and no one reports the issue, then it doesn't work in real time. 

It helps consolidate networking, security, and IT observability tools but it doesn't have such a big impact on our company. 

It should work better out of the box and have better use cases that would not require my intervention. For example, if I install an antivirus and endpoint protection on my computer, I don't need to do much. But to get any value from Splunk, I need to work hard on it. 

In the next release, they should include machine learning-based rules that would streamline the process of finding anomalies.

For real-time detection, I would not say that Splunk is the best. If you experience a problem and go to Splunk to look at the dashboard, then it's in real-time. Because of the way Splunk works, I wouldn't get an alert in real-time. 

I have been using Splunk Enterprise Security for five years. 

On newer servers, it can be stable. On our servers, it can take a while. We need to re-enter when we press selections. 

It is scalable. You can add more servers and analysts. 

Support depends on the issue. Sometimes they help but most of the time, I have to solve the issue on my own. 

I would rate support a six out of ten. Usually, it can take time until I get to someone who can help. The diagnostics aren't always accurate. I once had an issue where they replaced a certificate that we weren't using, so it didn't solve the problem. It can take a few iterations to solve the problem.

Neutral

The deployment is fine for me, but it is not really straightforward. I would suggest simplifying the process. For example, the whole certificate part is not secured by default. I would recommend fixing that.

We used EMET Computing for the integration. They are fine. 

We do see ROI. We can deduce the ROI from finding the damage that misusing our business platform is causing. 

I think that the price can be too high sometimes, especially for the cloud. We get a lot of logs that are meaningless. For example, if we are using a firewall, we get a message for every session or packet. A lot of those connections are the same. We pay a lot of money on the license and on logs that are the same. If there was a way to aggregate them, the cost of the license would be reduced.

I would rate Splunk Enterprise Security a six out of ten. It is useful but it doesn't add that much value on top of standard Splunk. Because of our use cases and environment, we don't use all of the features it has. Nevertheless, the value it provides isn't so different from Splunk Core.

When we identify a threat in the environment, we try to track down whether it has moved from one system to another or there is any lateral movement. When we are trying to figure out how it got started and where it came from, we use Splunk to identify those logs. Palo Alto is our biggest index for the firewall, and we can look into those logs, see the relevant data, and correlate it into something that makes sense, so we can track down the problem.

For the most part, it makes it easier to read the index data. Instead of trying to look through an individual index, all the logs, and other aspects, it brings everything to one area. I can look at the relevant data that I need to identify the threat.

Splunk Enterprise Security has helped reduce our mean time to resolve. I do not have the metrics, but I know it is faster compared to the old way of doing it. Previously, we had to go through Windows logs and security logs. We had to go through each log to figure out what happened. I can pull all of the information way faster with Splunk Enterprise Security. I can look at multiple systems.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools.

Splunk Enterprise Security brings all the logs into one central location to look at the relevant data and filter out the things I do not use. We are able to see the logs of multiple systems, the logs of the firewall, and the logs of the DNS and the Windows servers. It is able to bring all of that together and give a nice, solid picture of what is happening. We can read those logs faster.

Splunk Enterprise Security provides end-to-end visibility into the environment. It is very important for our organization to be able to see the threats, understand the threats, and figure out how to stop those threats. That is the importance of it. We are a casino. After what happened last year with two casinos in terms of hacking, we want to be able to stop that from happening to us. We learned a lot of lessons from what happened to the other two casino properties, and we applied them to a lot of our tools. Splunk Enterprise Security gives us a heads-up a lot faster.

Splunk Enterprise Security helped improve our organization’s business resilience.

Its alerting is most valuable. We have alerts set up in our environment for certain attacks, such as an SQL injection attempt. We have a front-facing server for the website. It is out there, and anybody can access it. When those SQL injection attempts come in, we can detect that with the alert. We get the alert in our mailbox, so we can start looking at it right away. Generally, with a SQL injection attempt, there is way more to it than just the SQL injection. There could be another 15 or 20 different types of attacks attempted during the injection. They are just trying to see if there is any vulnerability, and then they can take a shot at it.

I do not have any pain points for Splunk Enterprise Security. I am still trying to learn it, but there can be more information on the education side for Splunk Enterprise Security. It would be nice if the certification path was more specific to what I use instead of being so broad.

I have been using Splunk Enterprise Security for about six months.

Besides the forwarder, it is nice. The forwarder ran out of space, so it occasionally has to be rebooted to clear out the space that is being utilized.

We have 50 gigs of data.

I never really had to use professional services. For the most part, everybody is knowledgeable and patient, and there is a decent amount of communication back and forth.

I would rate their support an eight out of ten. My biggest issue right now has not been solved yet. Our heavy forwarder ran out of space. It is a VM. By using vCenter, we presented more space to the drive, but we could not get the VM or the Linux OS to allocate the new space. So far, nobody has been able to help us fix that. The current solution is to just upgrade it. We are not in a position to upgrade it right now because of the workload.

Positive

I changed my career last year to InfoSec. I was in IT before that. With IT, if there is a problem with the system, we just look at the logs. With Splunk, it is nice to be able to have it all centralized in my location where I can look at the data relatively fast as opposed to a line-by-line.

I was not involved in its setup. We have a bit of a hybrid setup. We have an on-prem data center and then we also have a cloud. We have Azure Cloud.

I would say that we have seen an ROI, but I do not know the numbers.

I would rate Splunk Enterprise Security a ten out of ten.

We are using it for our SOC. We integrated it with our SOC.

We have had a couple of benefits. We are using it as a SIEM. We do log extraction and analyze them. We also use reporting and dashboards. We are using it for security assessment. It is very helpful for us to be able to see what it has been like. Based on the incidents, we can take measures to cover any gaps.

Our security posture has definitely improved since we started using Splunk Enterprise Security. We are scaling it in stages. We are not yet using it at an optimum level. We are using 50% to 60% of it. Based on the analysis that we are doing, our security posture has definitely improved.

The end-to-end visibility that it provides is very important for any organization. It is the right tool to get end-to-end visibility. We get 360-degree visibility.

Like most organizations, we are moving to the cloud. We have a hybrid environment. We have a SaaS, PaaS, and on-prem environment. It is a very good tool for identifying security incidents. There are statistics, and we can go back and forth to see exactly what happened.

Splunk Enterprise Security has improved our organization’s ability to ingest and normalize data.

It is a real-time tool. What I like about it is how they are able to bring all the logs into a single dashboard. We can quickly get what we are looking for. We have queries. That is amazing.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. We are not using it completely, but based on our usage, it is up to our expectations.

Splunk Enterprise Security has helped reduce our mean time to resolve. Previously, if an incident used to take us an hour, it now takes us a few minutes.

The dashboard is amazing. Out-of-the-box dashboard is very good. It is very user-friendly. It is out of the box. With a few clicks, the dashboard is there.

Its performance can be better. Sometimes, it takes longer when we do queries.

Their support can also be better.

We have been using Splunk Enterprise Security for the last seven or eight years.

It is very stable. I would rate it a ten out of ten for stability.

Scalability is there. I would rate it a ten out of ten for scalability.

As we are increasing our cloud and on-prem infrastructure, logs are increasing. We have to come up with policies on our side for log retention and other things, but we are able to collect logs from multiple sources.

I would rate their support a seven out of ten. Its implementation was a big challenge, and sometimes, the ticket went from one person to another person.

Neutral

We were using Alert Logic. It is good, but there are performance issues with the dashboard and other things. At times, it takes ages, whereas Splunk Enterprise Security is real-time.

Its deployment is not easy. It is difficult. It is a one-time job, and once it is done, you get the benefits. 

We had to engage a third party or a channel partner. It was the right choice.

Application-wise, we have seen a lot of improvement in our application delivery. On the security side, we are still learning.

It is pretty straightforward and based on the sizing. If I compare it with other competitors, it makes sense.

We looked at LogRhythm, but Splunk is more mature.

I would rate Splunk Enterprise Security a nine out of ten. It is not a ten because of the support.

We use the product to analyze security anomalies and research specific threats that we get on our network.

The solution has made us more secure. It has given us the ability to address threats faster, with greater accuracy.

The availability of the data and the fact that we're able to collect a large amount of data into the system and analyze it is valuable to us. The product’s speed and availability make it really useful for us. I'm excited about the additional enhancements to the machine learning toolkit. To be able to use it more is exciting to me.

My organization needs more people to learn how to use the solution effectively. It takes time to train people.

I have been using the solution for six years.

I have never seen any issues with the tool’s stability.

Considering how much we have in place, I would assume that the solution’s scalability is pretty strong.

I haven't had to go to Splunk directly for many things. Communicating with our success managers has been very positive.

Positive

We need to improve our implementation. We're a pretty large customer of Splunk, so I think we do have a lot of resources available. Splunk has really good courses and availability. We need to get more people to be more familiar with the tool. The solution has helped us reduce our mean time to resolve. It really works well for us, and it helps us to look at our data more effectively.

Splunk has helped improve our organization’s business resilience. It's not just used for security. We have big use for it. It has definitely helped us prevent problems from occurring and identify them when they do. Splunk’s ability to predict, identify, and solve problems in real time is very strong. It works as well as we use it. There's a lot of value within the tool. It can be very powerful if used properly and if people are knowledgeable about it.

Splunk has a strong ability to provide business resiliency by empowering staff. I've been using it for as long as I've been with this organization. Compared to other solutions, Splunk is really strong.

I have seen time to value using this solution. I love using it. It’s a great tool. I cannot compare Splunk to other tools because I've been using it for as long as I've been with my current organization. In my previous organization, we didn't have big data, so we really didn't need the product. I am a consumer of the solution from a security perspective.

Overall, I rate the solution an eight or a nine out of ten.

The primary use case is computer network defense.

It is very important that Splunk ES provides end-to-end visibility in our environment. Part of the solution is bringing the user closer to the resolution.

The integration with other risk-based solutions, such as the risk matrix applications included with Splunk, is helpful. It helps us identify the risks without having to delve into other resources.

Splunk helped improve our company's ability to ingest and normalize data. That's the primary use of Splunk Enterprise or Core. For ingestion, we've been using Splunk Enterprise for about six or seven years before we had ES. So, that was the primary reason we got it.

In terms of the risk-based part, Splunk improved our ability to ingest and normalize data. Initially, we used Splunk Enterprise Core for aggregation and correlation. We didn't have the risk-based reporting.

I'm very impressed with Splunk's ability to identify and solve problems in real time. And I look forward to the new version improving the product.

We've been able to discover things we didn't see before. So, there's more that we discover now.

Splunk ES provides us with the relevant context to help guide our investigation. It goes back to the time to resolution. We have to do much less investigation because it's already built-in alerting. 

Risk-based reporting and anomaly detection are valuable features.

The biggest advantage is the reduced time to resolution. Before, it took us up to days to resolve issues, and with Splunk, we've been able to move that down to hours or even minutes in some cases.

I was just at the conference, and they spoke about and demoed a new version of Splunk. It looked like some pain points are resolved in the new solution, such as not having to go to so many different panels. Like to streamline or improve the UI. 

In terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

We purchased ES four years ago.

If properly built, I'm very impressed with the stability of Splunk ES. We initially stood it up on a single server, and to make it more robust, we had to break out of that single server concept to make it more resilient. 

The scalability is very good. That comes from our experience of having to scale out, and Splunk's documentation on scaling up is very good.

Every time we've used Splunk support, it's been very good. We don't have any in-house Splunk engineers, but headquarters has some they can send to assist us, so I can call on them. It's a very good support chain.

If there is some room for improvement, it is in terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

Positive

My company is very impressed with Splunk. We've used several SIEMs before, and Splunk has been the most efficient one.

There was one called Intelotactic, and another was called Secureworks. I believe both of those are gone now.

Initially, with Splunk, we had a steep learning curve. It went from a fairly low ingestion point to figuring out how much data we needed to get to a certain level. Even when we got to a level we were happy with; we found that we were ingesting a lot of noise in the data. We had to figure out ways to reduce that noise.

We bought the maintenance along with Splunk ES and used Splunk engineers to assist us in the setup. It was a very good process. It worked out very well for us.

The knowledge of the individual sent to us was impressive.

Deployment model: Ours is all on-prem currently, but we are headed towards a cloud solution.

I would rate it a nine out of ten. 

We use Splunk Enterprise Security for monitoring. We've been using it for monitoring our network. We've created some rules and use cases and we get alerts based on rules. 

It’s helpful in relation to the security perspective. With it, we can monitor all log sources and it helps us to reduce risks to our enterprise from a security perspective.

We can monitor all of our digital assets and reduce threats via constant monitoring. Using Splunk, we can mitigate malicious activities on the spot. 

The solution offers a variety of good features. It has a simple user interface where we can find various options easily. The search functionality is great.

Integrations can be done easily. It’s not complex like other solutions, like Radar or Azure. Everything is easy to manage, including the low sources.

The visibility is continuous. We have different web servers, databases, routers, endpoints, et cetera, and we gain visibility from a security perspective to all of them. We can generate different types of dashboards to visualize traffic from various resources.

We can see user behavior and have access to user behavior analytics. We also are able to have some custom rules that allow us to effectively continuously monitor the activities of our users. We use a third-party solution for that.

Splunk Enterprise Security is helpful for analyzing malicious activities and detecting breaches. I can take various logs from log sources and centrally manage everything via custom rules. We have been satisfied with the capability to analyze malicious activities and detect breaches.

It helped us with faster detection of threats. If we compare it with other solutions, it is much faster. For big organizations that have their logs and terabytes, working with something like QRadar takes lots of time. Splunk is much faster.

Since the time of deployment, we've been able to use all of the features and integrate rules and use cases with threat intelligence. We've reduced false positives by 90%. Between the first and sixth months, we reduced our alert volume by 50% to 60%.

Splunk Enterprise Security helped speed up our security investigations. We now have an in-depth insight into endpoint usage. We've saved about 60% of our time if you compare Splunk to how we were operating before in terms of monitoring. 

We'd like to have the number of devices covered under the license to be increased. 

I've been using the solution for seven months.

I'd rate the ability eight out of ten. 

The solution is mostly scalable. The ability to scale is related to storage. If you want to expand storage, it can be quite difficult. 

At this point, we do not have plans to increase our usage.

I'm satisfied with the level of service technical support provides. 

Positive

Previously, I have used QRadar. My current company uses Splunk. 

I was not involved in the deployment of the solution. 

There is some maintenance required. Users need to do some administration around storage and monitoring. 

I'm not sure how much the solution costs, or how much my company pays for it. 

If a company needs something cheaper than Splunk, there are some open-source solutions available to them. 

The resilience of the solution is good. It's quite scalable, however, it does depend on the license. If you want more sources or logs you need to increase your license.  

I'd advise users to evaluate the solution to see if it meets their personal requirements.

I would rate the solution eight out of ten. 

We use it for a lot of compliance work and incident reviews. We are also using it for remediation and tracking assets.

We use Splunk not just for security, but we also collect a lot of data from our operational equipment. We are using it a lot for troubleshooting and trending and even for command and control.

It has reduced our mean time to resolve some of the things. We are able to look at the data a lot faster and see what is going on. For some of our use cases, our NOC controllers or our operators are looking at the Splunk dashboard a lot. It is a part of their main job. In one specific use case, we used to take a couple of weeks to do certain maintenance. With Splunk and having the data, we were able to reduce that to just a few hours.

It has helped improve our organization's business resilience. We are able to have the data collected in one spot, see it, and get some insights from it. That has helped a lot.

It has definitely given our technical workforce tools to help with their jobs for troubleshooting and things like that.

From the class that I took this week, being able to create notable events from whatever you find in the data set is pretty useful.

We are waiting for Dashboard Studio to mature a little bit more. There are some things that we are using with Classic Dashboards which have not yet made it to Dashboard Studio. We are waiting for that.

It seems to be limited in terms of predictive features. I took up machine learning a couple of years ago. It seems to have some capabilities there, but I do not have specific things for it right now.

In our organization, we have had it for over five years, but my personal experience with it is very limited.

It has been working for us so far.

We have been able to scale as needed.

I have not contacted their support directly because we have folks who are pretty knowledgeable. I go to them, and then they go to their support if needed. As far as I could tell, their support has been okay. I have not heard of any issues.

We did not have a similar product. Splunk came as a security product, and we have evolved it into doing operational work.

We have folks who do the deployment. I am more on the interface side.

We would have seen an ROI. We are using it for a lot of our operational work and other things as well that are not related to what we are doing on a daily basis. We are looking at logs and other things that our executives are looking for.

Its time to value was within a year or so. There are a lot more things that we could do with Splunk, and that is why we ended up adding some stuff to it to fit our needs.

It is hard to tell whether we had any cost efficiencies because we did not have something like this before. Of course, we have Splunk now.

As a team, we prefer the old pricing model with a perpetual license. We are still evaluating the whole subscription-based model. 

We did not evaluate other solutions. Splunk came in with the modernization effort that we were going through, so it just came with the system.

We are pretty happy with it. I would rate Splunk Enterprise Security a seven out of ten.

The use cases are mainly around monitoring for our clients' security operation centers and correlation of events and analytics for incidents that have been identified.

It has really improved things for our clients by reducing false positives. Most of the time, analysts end up wasting their time with false incidents, and that has been drastically reduced by Splunk.

It also definitely helps speed up your security investigations.

The dashboard and reporting are very good. Our clients monitor multiple cloud environments and Splunk helps because, in general, monitoring multiple cloud environments is definitely difficult and very complex. It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk.

The solution is also very good in its threat-hunting capabilities and anomaly detection. It uses an AI-based detection system to identify real-time anomalies and provides complete visibility into the network.

And you can feed multiple threat sources into Splunk and the Threat Intelligence Management feature gives you information about current or potential attacks. It provides complete security support in the threat intelligence space. It helps your administrator to correlate indicators of compromise from threat intelligence databases and feeds.

Also, the Splunk Mission Control feature, which is mainly for Splunk Enterprise Security cloud users, provides a unified and simplified security operations experience for SOC analysts.

We also use the solution's Threat Topology and MITRE ATT&CK framework feature. That's something you need for cyber breaches to contain a threat. This feature comes into play when you need to mitigate an incident in your environment.

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

We have been working with Splunk Enterprise Security for one and a half years.

It's a very stable solution. 

It is very highly scalable.

The technical support is very good.

Positive

I used IBM Security QRadar. The main reason for switching is that Splunk has the scalability to handle bigger enterprise logs. Log management is the biggest issue in any SIEM. Splunk is able to rapidly grow its capacity.

Our clients' implementations are mostly on-prem and in the cloud.

Splunk is definitely not a cheap solution. It is an expensive product.

If a customer is evaluating SIEM solutions and is considering cheaper products, it depends on the customer's budget and use cases. For a large, enterprise customer with critical infrastructure that needs to be monitored 24/7, obviously, the cheaper solutions may not have the capacity to handle the huge volume of data. Splunk has the SIEM and the scalability as well as visibility features. When you want to monitor your applications and how they are performing, that is where Splunk is very strong.

In terms of maintenance of Splunk, you need to have an IT administrator monitoring it at all times.

When it comes to a large, enterprise customer's critical infrastructure, Splunk is one of the best solutions to use in a security operations center. It has multiple advantages, such as the dashboard that provides complete visibility, and a threat detection system with very advanced features. It is very valuable for any company that wants a good protection system.

You should definitely consider Splunk as one of your options for your SOC.