Splunk Enterprise Security Reviews

Our technical teams are demoing various enterprise tools to develop experience and knowledge so we can better serve our clients. In addition to Splunk, we are evaluating IBM QRadar and one other solution. One of our customers is asking about the Splunk MSP model.

Splunk allows us to customize processing and dashboards, which helps us take care of our customers' needs. Splunk is costly, but it's better than other products. It speeds up security investigations. It helps us detect threats faster. Everything is faster. The only part that's lagging is the management. Otherwise, Splunk is good. It took about a month to realize the solution's benefits. 

We get few alerts except for the other solutions we have integrated with Splunk. We'll monitor those alerts and support their customers, but we don't have any other mechanisms for databases or something outside of the infrastructure. 

Splunk enables us to customize dashboards and queries, and we can add multiple admin users. We only use the essential parts, including the MITRE ATT&CK framework capabilities. Organizations share threat information under the MITRE ATT&CK framework. We do threat hunting and marketing based on that.

We do manual threat hunting. We get all the IP addresses and check the threat databases to determine if it's malicious. 

The algorithms and alerts could be improved. I would also like to pre-build use cases. We need to create the algorithm based on our use cases. 

The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management feature. 

We've also had problems integrating the solution. We get multiple errors, like search log errors, UI errors, etc., and performance issues. It's fine with basic content, but if we're dealing with multiple data sources and 30 GB of data, it cannot handle the load. Our customer is indexing around 10 GB of data daily, and I can't search the log without getting errors. 

Splunk Enterprise is stable. 

Splunk Enterprise is highly scalable. 

We haven't had to contact Splunk support because we can find all the answers we need online. 

We also use IBM QRadar.

Deploying Splunk is straightforward. We had no issues. 

Splunk is more expensive than most solutions, but it offers lots of value. If a customer wants the cheapest solution, we'll use that.

I rate Splunk Enterprise Security an eight out of ten. I would give it a ten if it had built-in threat management. 

We usually use the solution for the same functionality, which includes setting up alerting and making notables. We also use it for the workflow from ingestion, alerting, and response.

Splunk Enterprise Security serves as our SIEM, providing security alerts, operational alerts, and even some logging that we probably need to check in on from time to time. It basically serves as an alerting platform for our enterprise.

The solution's most valuable feature is the criticality of alerts. Some alerts can be noise, and others will be more high-level and warrant a higher-level response than others.

The solution's automation could be improved. It would be better if we could automate ingesting and alerting for low-level events.

I have been using Splunk Enterprise Security for seven to ten years.

I rate the solution’s stability a nine out of ten.

For the times I've had to set up incidents from critical to lower ones, the technical support team has been fairly responsive. Sometimes, the support team has had a two to three-hour turnaround time for critical incidents. Usually, you would like to get to someone sooner rather than later for critical incidents.

Positive

I've previously used other SIEM tools like ArcSight, QRadar, and Elastic Security.

We have seen a return on investment with the solution.

The solution helps us see what's actually happening in our environment. Some things we might not expect at times, and others we do expect. The tool helps us respond based on what we see from our logs. I've seen and thoroughly liked some AI, automation, and single-pane-of-glass updates coming to the solution.

It is very important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. You can't respond to what you can't see was ingested. So, the visibility provided by the tool into our logs and alerting environment is critical.

From an ingestion point of view, the solution alerts you to what you'd tell it to. It's pretty agnostic log-wise.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

It has helped reduce our alert volume. You're getting the same alerts. You can see what's noise, what's actionable, and what's not as actionable.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. We see what's coming into the environment, including specific logs that we wouldn't expect as much. All of that gets filtered into alert data, potentially operational data, and sometimes even billing data, so we can adjust and move forward with that in the environment.

Splunk Enterprise Security helped reduce our mean time to resolve by somewhere between 20% to 35%.

Splunk Enterprise Security has helped improve our organization's business resilience for some ingestion purposes.

The unified platform helps consolidate networking, security, and IT observability tools. Splunk is pretty log-agnostic. All of your logs, tools, and sometimes even dashboards can get ingested into one specific tool. That way, you have a single platform where you can view all those logs and respond based on that data.

Overall, I rate the solution a nine out of ten.

The solution is primarily for security incident investigation. Whenever a customer wants to monitor the environment for any security incident or events that are occurring, and they want to analyze the incident when virtual issues happen, that's when we propose Splunk. Otherwise, it's difficult to understand what kind of security event is arising in the environment.

The primary feature that is the most valuable is the correlation feature, which helps you analyze the data. If there's a lot of telemetry data at some point, Splunk can take advantage of it. It can handle a large volume of data. 

Now, with big data, AI, and all those things, the amount of security data that is generated is too high. Generally, the other SIMs face trouble when handling big data. However, Splunk itself is a very strong solution for handling lots of data. It helps the SOC team analyze data very well, and it does not crash on handling a large amount. That's a key benefit.

Our customers usually monitor multiple cloud environments. It's not very difficult. There are two ways we use Splunk. One is that they can be multiple cloud environments. The second is that it can be an on-prem and a cloud environment. We are mapping it to our one solution. 

Splunk is very flexible and it's integratable with other solutions

If you want to understand how it can analyze or find out incidents, the visibility is good. The best visibility would always be in the on-prem environment. Then, the cloud, since Splunk is not a native cloud solution like Microsoft's Sentinel, is used. We don't see a lot of challenges if we do a hybrid kind of setup, however.

I'd assess Splunk's insider threat detection capabilities to help find unknown threats or anomalous user behavior at an eight out of ten. Splunk itself uses another agent or another module to do it. Splunk does the job. It's not that it will not do the job; however, it will require more refining than other solutions in the market.

My team uses the Splunk Mission Control, topology, and attach framework features, which are really helpful. We've used it for multiple customers. We take their existing SOC or detection use cases and try to map them to the framework. From a security point of view, it obviously makes a solution more superior. With Splunk, you can catch more security incidents. From a best practice standpoint also, it is a good thing as we can configure the solution, and, according to that configuration, the entire performance is better in terms of security. 

It's very useful for assessing malicious activities or detecting breaches. It's a robust solution. 

We've been able to help customers detect threats faster. It might be 5% to 10% faster in some cases. And since we can analyze large volumes of data, we're not missing any particular data point or data set. That gives us an advantage.

Splunk helps reduce alert volume. You can reduce your alert volume based on your configuration, and it's highly customizable, so it can help you reduce alerts by a lot. It's helped us improve the quality of incidents we receive. 

It's helping customers speed up security investigations somewhat.

It improves the resilience of a company thanks to its ability to quickly analyze data.  

While it's costlier than other solutions, it's highly stable. 

The security orchestration response requires a bit of improvement. 

We'd like to see a more seamless cloud-based integration.

Their mobile features for iOS and Android could be improved in terms of quality of performance. 

I've been using the solution for three and a half years. 

It's a highly stable product even for large customers with diverse environments. For companies that have huge amounts of data even, it does not crash. It's the preferred option when a lot of data is involved. It offers good resilience and improves performance. 

I'd rate the scalability seven out of ten since it is not cloud-native.

Technical support is good. We purchase premium support services.

Positive

I was not involved in the initial setup of the solution. 

The solution is deployed wherever your appliance is. You deploy it where your software team wants to monitor from. Typically, that's headquarters or a company's security center. Splunk then has agents that help devices connect across geographies. For example, while Splunk may be primarily in the UK, it can cover devices via agents across Europe, and the agents can monitor other environments.

We have between two to five people who handle maintenance activities, depending on the client. 

There is a threat intelligence management feature. However, customers don't use it in our case. Typically, customers want something superior in that nature.

Price is a major concern for most customers, big or small. However, price should not be the determining factor when seeking a solution. Users need to think about performance and quality. They need something that will help them prevent security incidents, and they need a product that will be stable. If you can monitor your environment better, you can prevent incidents that may lead to financial loss - and when incidents happen, companies can spend far more dealing with an extended phishing attack than they would on a service like Splunk that will protect them effectively. When it comes to security, while it's not necessary to have the most expensive solution on the market, you should at least seek out a solution that's best suited to your company and its needs.

I'd rate the solution eight out of ten. It's a great option for enterprise-level companies. However, a smaller customer with a smaller budget may not be a good match. They may not need such a powerful solution in any case. That said, if a customer is about to grow a lot, I might suggest Splunk as a primary option. I'd advise potential users to look at the environment size and complexity, consider the budget, and then decide if Splunk makes sense. 

We use it mostly to generate notables, and then we can use other tools, such as ticketing systems or other SOAR platforms, to investigate.

I was not around before we had Splunk Enterprise Security in our organization, so I do not know about the before and after, but I can tell it would be very painful to not have it. 

It is pretty easy to monitor multiple cloud environments. All the logs from our cloud environments go to Splunk, and then we can search everything at once. It is pretty helpful.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is pretty important. Especially if you use it as your single source of truth, it is pretty invaluable that you have everything in there.

It has reduced our mean time to detect, so inadvertently, it has also reduced our mean time to resolve. However, I do not have the metrics.

Splunk Enterprise Security has definitely improved our organization’s business resilience. There are a lot of logs that help with monitoring and alerting and keeping the business up.

It can help to predict, identify, and solve problems in real time. We do have some health alerts, and if they kick off, we might be able to fix something before it is really broken. In that sense, it is good.

Splunk Enterprise Security has been pretty good in terms of providing business resilience by empowering our staff. Most of our users are security-focused, but having everybody with the ability to write their own searches or build upon what we already have for detection of the future things is pretty helpful.

The correlation search functions that generate all the notables are valuable. That can get pretty complicated, and it handles that pretty well.

Some of the search functions can be better. There has been a lot of talk at the conference about the update of SPL before each iteration. That will be a lot of help. 

I have been using Splunk Enterprise Security for about two years.

It is pretty stable. We have not had any instances where Splunk just completely died. Its stability is good.

It seems pretty scalable, especially considering how much data we ingest. It is a good tool.

I have not interacted with them recently, but they are pretty good when I do need something from Splunk. I would rate them a ten out of ten. I have not had any issues with their support.

Positive

We were probably using Elasticsearch.

It was already implemented when I got here.

We have probably seen an ROI. We are in the security space, and there has definitely been improvement in uptime and the mean time to detect and respond to security alerts.

Its time to value is pretty immediate. The more logs and the more standardization that we get into Splunk, the quicker that comes.

Most people share the same thought that the ingestion rates can get pretty pricey. There is a lot of work we do to curate the data that we send to Splunk so that it is not too noisy or too expensive.

Overall, I would rate Splunk Enterprise Security an eight out of ten. There are some cool things. A lot of the talks at this Splunk conference have touched on some of the gaps that Splunk is working to close, but it is a very solid tool. 

My use cases are very limited. I use the product mostly to detect internal threats like data exfiltration.

I am a basic user. The search lookups are useful.

The product must improve insider threat detection. Almost everything is outside in, but not inside out.

I have been using the solution for four years.

The solution is very reliable. I like its stability. It always works.

Sometimes, it takes time when we need additional information or something extra. However, the tool’s able to do it.

I haven’t contacted the support team. I reach out to the internal expert. My searches and my requirements are very basic. The expert is great. He’s always able to help me and guide me.

Positive

We do see a return on investment. The product saves us time by automating reports and helping us see data.

The solution helps reduce our mean time to resolve. It’s great to automate some tasks. I believe Splunk has helped improve our organization’s business resilience. We have become stronger in insider threats by just stopping things, being able to show what is leaving, and taking action on it. It's very useful when I try to identify events.

When I started working in my organization, they were using Splunk. Overall, I rate the product a nine out of ten.

Splunk Enterprise Security provides more visibility into endpoints in our environment.

We only monitor AWS, but we also have SaaS services that are in our own clouds. So far, it is easy to monitor our cloud environment with this solution. As long as we ingest our data correctly and tune it, it will read it. It is very easy to use.

It provides end-to-end visibility into our cloud-native environment. This is critical for us because we are always one step away from a security incident, which could impact the company and cost a lot of money. That is our main point of focus.

It provides a risk score for each object, device, or user. We can then take action if they are at a higher risk.

The pricing can be better.

We have been evaluating Splunk Enterprise Security for the last eight months.

I cannot say anything about stability, but I am assuming it would be the same as Splunk. It is an app. It is going to work.

The technical support is above average, but they do not go into the details, so we have a contract with a third party to help us.

There might be more Splunk support tiers, but we are working with SP6. They will get their hands directly onto our Splunk environment, whereas Splunk support does not do that. Maybe there is a different tier that does that, but we do not have that. It is more of an email dialogue. They are not going to VPN into our environment. SP6 is more hands-on. I would rate SP6 a nine out of ten.

We did not use a similar solution. We have Carbon Black for endpoints, but this is going to be a lot bigger than that.

We are still evaluating it. We have not deployed it yet, but I was involved with the deployment of Splunk. 

It was very easy to set it up for evaluation. It is just an installer file. It is an add-on app for Splunk, and if you know how to install Splunk and add-ons, it is easy.

I am fine with the licensing, but in terms of the cost, it is expensive for the data that we have. We have an open discussion with our account rep about this.

We are not evaluating any solutions because we already have Splunk, and we do not want to leave Splunk. I like it, so it is just a matter of making the commitment.

The value that I get from attending Splunk Conferences is going to sessions and learning about what other people are doing and use cases that I have not really thought of. Also, I am able to talk directly to people about questions I have regarding our Splunk instances, and I can get some answers right away. It is very good to know what people are doing because sometimes we do something one way, but we do not know if we are doing it the right way. Here, we can get validation, or realize that we are doing it wrong and make the necessary changes. That is very valuable.

I would rate Splunk Enterprise Security a ten out of ten. Most customers at the conference have already implemented it, except for our company. It is a critical foundation app that allows you to explore other apps that Splunk is grading, and it works.

Our primary use case of Splunk has been on the implementation side for clients. Splunk has proven, on multiple occasions, to be extremely useful in the proactive monitoring of clients' hardware, networking, and security operations. Some use cases that we have implemented include, but are not limited to, proactive account lockouts based on machine learning of a typical person's average number of failed login attempts, aggregation of a servers logs in order to predict downtime/maintenance/hardware failures quite accurately, as well as helping administrators of all sorts to gain a full picture of their environments under a single screen.

Splunk has helped our organization mainly on our increased use of the security side. We use Splunk to monitor all machine logins (both successful and unsuccessful) and actions taken on those machines under each user. We have set up some predictive and proactive models, which are programmed to take action on anything outside of the normal usage. These actions range from alerts being sent to the Splunk page, administrators being notified, and if escalated enough, automatic account locks.

The ability to view all of these different logs, then drilling down into specific times or into specific data sources, has proved to be the greatest aspect in decreasing our troubleshooting overhead time. The added security has proven effective as well, but given that we have not yet created the perfect model, we still find ourselves striving to develop a more efficient and predictive security analysis and action plan within Splunk.

Splunk has continually been increasing its features and also expanding and perfecting its core functionality. I would like to see it to continue to improve its predictive analytics and machine learning tools. It is not to be said that they are currently lacking, I don't believe it is, but given the current state and direction of the Information Technology world, I feel as though a major focus of upcoming releases should be set on Machine Learning, Predictive Analytics, and I would enjoy to see more security focused add-ons and apps developed by the vendor.

We did about a year and a half ago. The implementation was able to notify me 34 seconds after the initial breach had happened, but our implementation was already configured to auto-logout any "suspicious" users (our internal networking team had set this detection code up) which alleviated the problem, before it really became a problem for us.

Immensely, I cannot stress enough the positive impact this has had on our security team.

Our personal implementation brings in only around 48GB to 48.5GB of events per day. Depending on the amount of remote workers in the office, it averages around 50 million events daily.

We did not encounter any issues with stability.

We did not encounter any issues with scalability. It is almost seamless to add new index (storage) or search (used to analyze the data) nodes to the cluster.

I have not personally dealt with customer service/technical support.

We did not use a different solution before. The closest thing that we would have done to this would have been personally scraping logs reactively, which cost us roughly two to three hours per issue that arose purely through log searching and remediation.

The initial setup is very straightforward, unzipping a tar, creating a service, starting the service.

My team was the team who had set up this implementation. I would be remiss if I didn't say that our level of expertise is quite high with an average of 4 Splunk certifications per person on my team.

ROI is estimated at saving my team roughly 10 to 12 man hours per week in troubleshooting for our company as well as what our profits had been from our services of installing, configuring, and supporting other clients with the product.

Setup cost is cheap: It is free, it is user-friendly, and it is fast. 

I would highly recommend anyone evaluating this option to download the free trial which allows for the ingestion of 500MB of data per day in order to get a feel for what Splunk does at its core. It will get pricey once your ingestion rates start to sky rocket, but I would consider it expensive given the amount of information that it allows you to analyze and react on straight out-of-the-box.

We evaluated the ELK Stack, of which recently we have implemented with a customer who was looking for a more lightweight, cheaper alternative that would work "Good Enough". They felt they did not need all of the bells and whistles that came with Splunk.

If you have an R&D department within your company that is looking for something new to increase the efficiencies and effectiveness of your company's operations, I would highly recommend having them get the free trial to test out.

We use it alongside some endpoints to detect log ins outside of scheduled work hours. If someone logs in outside of that range, we generate an alert for the security team to review.

I can use the MITRE ATT&CK framework. With the data that I ingest into ES, the MITRE app gives me visibility into what I'm covering from the techniques and tactics in the framework, which is pretty cool and convenient.

At the end of the day, it's the platform receiving the logs from all the other apps. You're watching all the information in just one place, so it's basically the core tool in the company. So, it is really important that Splunk Enterprise Security provides end-to-end visibility into our environment. 

In a way, Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. However, there are a few tools that are hard to normalize or use data models. And some of the add-ons don't work properly sometimes. Not all of them, but a few.

Splunk Enterprise Security helped us reduce our alert volume by 30%.

Moreover, Splunk Enterprise Security provides us with the relevant context to help guide our investigations. And it's important because we need to set up the basis of the context of what we want to see.

Splunk Enterprise Security helped improve my organization's business resilience. It's a pretty powerful tool. We can monitor and ingest all the data, only if it's not encrypted.

Splunk platform helps consolidate networking, security, and IT observability tools. We watch all that information on just one platform, so that's pretty cool. 

The risk-based alerting (RBA) is one of the valuable features. It's a really cool concept to explain and see the impact that you're having on the company.

Splunk Enterprise Security's ability to find security events across different environments, whether in the cloud, on-premise, or hybrid, is really good. Because it gives me a lot of content out of the box, the only thing I need to do is ingest the data, and I'm good to go.

I would like to see the asset and identity lookups be more automatic and less manual. I have to search everything and type it. So it should be more user-friendly.

I have been using it for six months. 

The stability is really good. It's very accessible.

Most of the time, some docs are not available. When you see the documents, they add a link, we go to the link but it's not available. 

Also, the customer service and support have a lot of old questions that are not updated.

Neutral

It's pretty easy. The first thing you need to do is the onboarding phase. After that, you need to review that the logs that you're receiving are good. And after that, you need to start working with the correlation searches and setting up everything.

The deployment was done internally. 

We have definitely seen an ROI. It is worth it!

The pricing is always going to be different because it depends on the project you are working on and how much data you are going to ingest. But it's definitely worth it.

We directly chose Splunk to begin with.

Overall, I would rate it a nine out of ten. There are a few things that need to be more automatic because there's still a lot of manual work to use it.