Splunk Enterprise Security Reviews

Our use cases are for creating security analytics for our SOC team.

Splunk Enterprise Security is one of the Splunk tools we use to mature our security posture. We use it to be on top of potential threats to the organization.

The benefits include the easy integration with other Splunk tools including Splunk UEBA, Splunk ITSI, and Splunk Core. The ease of integration and the organization's experience and familiarity with searching and passing logs through Splunk are the main benefits.

Apart from the legal and compliance requirements for the bank, it's important that the bank is ahead of bad actors to be able to proactively detect and prevent threats to the organization. At the end of the day, the goal is to protect the organization, the stakeholders, shareholders, the bank's reputation, and the users and customers of the bank.

The Splunk incident response dashboard is pretty useful because it helps first responders triage incidents and properly escalate when necessary.

We find Splunk very useful on the enterprise level to detect and prevent security threats.

Splunk Enterprise Security has definitely helped improve our organization's ability to ingest and normalize data. We have many log sources and over ninety thousand staff. We have endpoints, servers, Syslog Data, and BYOT data. Splunk has been instrumental in maturing the security posture of the organization.

Splunk does a pretty good job at identifying threats in real-time. 

It provides us with the relevant context to help guide our investigations. During onboarding, once the log sources are properly onboarded based on Splunk's recommendation for SIEM compliance, we found real value in being able to aggregate different types of data and load them properly so that we can then pass on and access them very easily. 

It has improved my organization's business resilience. We've been able to mature our security program and posture over the years.

The ability to see everything from a single tool is very helpful. From the context of communication with our executives, being able to show them a unified dashboard to see the security posture has been very useful. For example, our executives can see the security posture or position of all of the branches of the bank from a single dashboard. Dashboards like that give them peace of mind to have that kind of visibility to know the state of things. Splunk is very instrumental in that. 

The incident response dashboard could be more user-friendly.

In the next release, I would like to see the integration of Splunk Enterprise Security with Splunk UEBA. That's a big one. We've spoken with the engineers working on a new UEBA integration with Splunk but right now Splunk UEBA is a separate setup entirely.

I have been using Splunk Enterprise Security for three years.

Splunk Cloud has its advantages. The company might be moving in that direction because you don't worry about infrastructure. But being on-prem part of what we worry about is the underlying infrastructure of Splunk, which is directly relevant to the stability. The resources used for search and load are tied to the infrastructure behind it. It's been stable. 

We've been able to scale rapidly to meet our needs. Splunk Cloud could be advantageous because it's a platform and it will cut out the worry and the need to manage infrastructure on your own. 

I work more with Splunk UBA. My experience with my rep has been good. 

I would rate support an eight out of ten only because everything has room for improvement.

Positive

It's an on-prem deployment. I have more experience setting Splunk up in a Linux environment. It's been a good experience.

I would rate Splunk Enterprise Security a seven out of ten because there's room for improvement. Splunk always positions itself as a market leader. This would involve understanding your competition, seeing their products, and seeing how you can improve to meet their customers' needs. 

From my experience, Splunk has done a good job at that because we have customer success reps who are concerned about how Splunk is meeting our needs. Splunk can definitely do better which is why I'm giving it a seven. 

We use the solution to build correlation searches around insider threats and exultation of data. We also use it for DLP (data loss prevention) and to get more visibility on what's happening in our environment that could increase risk.

The solution's data aggregation has allowed our organization to unify a lot of inputs from various tools in one space and to be able to search from there.

The solution's most valuable feature is risk-based alerting, focusing on building out user risks for individuals throughout the enterprise.

It is important to our organization's security that Splunk Enterprise Security provides end-to-end visibility into our environment.

Splunk Enterprise Security's ability to find any security event across multi-cloud, on-premises, or hybrid environments is good. It's more about how you configure it and how well your company is equipped to provide and allocate resources to make the best use of the tool.

It has helped reduce our mean time to resolve.

The tool should include more real-world use case examples built out either through videos or in the community. These should not just be examples of how it can be implemented but of how previous solutions have been transitioned to new solutions and how they provide a different and better approach.

I have been using Splunk Enterprise Security for one to three years.

Splunk Enterprise Security is a very stable solution.

The solution’s scalability is based on the cost.

Splunk Enterprise Security is just a tool you can use, and then it's really up to the customer how they leverage it best.

Overall, I rate the solution a six out of ten.

We wanted the solution to enhance the SOC ability. We were having trouble with some of our data being SIEM-compliant.

We hope the solution meets some SOC-like abilities.

Splunk Enterprise Security gives us a single pane of glass so that we can use just one tool instead of having to use different solutions.

It is pretty important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment, and it gets more important every year.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

It has helped us reduce our alert volume.

Splunk's unified platform helps consolidate networking, security, and IT observability tools. It gives us a single pane of glass, so instead of having to go to different tools, we just go to one tool.

It is deployed as an app on its own server.

It'd be really nice if Splunk Enterprise Security had a better and solid configuration guide.

I have been using Splunk Enterprise Security for roughly one year.

Splunk Enterprise Security is a very stable solution, and we haven't had many issues in five years.

The solution’s technical support team is very knowledgeable.

Positive

It was a little difficult for us to set up the solution mainly because some of our data sources were not SIEM-compliant.

We did engage with Splunk professional services, but it still didn't work. Although our experience with them was good, the tool was still not set up correctly.

We have seen a return on investment with Splunk Enterprise Security.

My experience with the solution's setup cost, pricing, and licensing was really good.

Overall, I rate the solution a seven out of ten.

There are a lot of use cases for Splunk Enterprise Security. The main one is when you are trying to detect an authentication attack. There are lots of people trying to get access to a system, so they are constantly trying to authenticate. Splunk Enterprise Security can quickly detect that through its correlation engine. If there is a specific attack of the anomalous amount of users trying to log into a system, it generates an alert. Our SOC is then able to analyze that alert and determine whether it is a false positive or a true event. If it is a true event, they can work towards containing that attack. If anything is a success, they can quickly provide that information to our incident response team.

The benefits that we have seen from using Splunk Enterprise Security have been faster response time and faster enrichment of information so that the analyst can act and respond in a more timely and efficient manner, which then provides more information to leadership, such as myself. We are then able to respond. We know how to present risks and how efficiently our SOC is doing to our senior leaders. There is a 30% to 40% improvement because, with the system we had before, the capability of figuring out what was going on to analyze the event was cumbersome. Splunk Enterprise Security has driven and given analysts the ability to analyze a lot more efficiently.

Splunk Enterprise Security provides end-to-end visibility into our environment. It is very critical for us.

Splunk Enterprise Security helps us find any security event across multi-cloud, on-premises, or hybrid environments. It helps in all of this. We have multi-cloud environments. We have all four main cloud environments. We also have our on-prem environments. We have also set up a hybrid environment. It has improved our ability to detect and find needles in the haystack that we were not able to see before. There are lots of things they have been able to detect. People were installing things and misusing AUP violations that we were not able to see before.

Splunk Enterprise Security helped reduce our alert volume with the implementation of risk-based learning. When you are doing risk-based learning, you can definitely reduce the volume, but initially, when you move from one SIEM to Splunk Enterprise Security, you do not really reduce volume. You are generating more. Because you are getting better visibility, you are generating more information for the analysts to look at, and then over time, as Splunk Enterprise Security and the team learn the environment, you are able to tune down and then use the risk-based alerting to help reduce a lot of false positives.

Splunk Enterprise Security provides us with the relevant context to help guide our investigation. There are limitations, which is where Splunk SOAR helps with the enrichment of the information, but it definitely provides good context. In the notable alerts, it provides a lot of key information that you need, and then there is the ability to drill in to see what the actual events were, so it really helps.

Splunk Enterprise Security is efficient at predicting, identifying, and solving problems in real time. With the correlation rules, the ability to have adaptive responses, and the ability to tie in even machine learning into that, we are able to do real-time analysis and quickly gather and detect.

Splunk's unified platform helps consolidate networking and security tools, but sadly, our organization does not use IT observability tools. We are purely from a security perspective.

It has so many features. The incident review pane is the best part of it because that is where the SOC lives. It is the heartbeat of what the SOC needs to do. You are able to start the investigative process. As you are sitting in the incident review pane, you see the alert, and from that one alert, which is called a notable alert, you can drill in and see all the different specific details that are tied to that. You then have adaptive response action that can be taken automatically on that, or you can even drill in to look at what events drove that alert to be created. You can then start doing more hunting and querying that way. There is so much information contained in the notable alert itself in that panel. It helps to drive the direction of where the engineer should go.

I am looking forward to seeing what is coming out in the new release that was announced, but case management is an important thing. Being able to have a one-stop shop where you have the alert, but then you can generate the case right there from Splunk Enterprise Security instead of having to pivot to another tool such as Mission Control. You do not have to keep bouncing between them, so if you could do it all in one place, that would be great. The new release is supposed to start getting in that direction.

I have one environment that has been using Splunk Enterprise Security for two years in the Splunk Cloud. I am currently in the process of migrating my on-premise corporate environment to Splunk.

At this point, Splunk Enterprise Security is very stable.

It is very scalable. Particularly, when you do search and clustering, you are able to scale rapidly to be able to meet the demands of what is needed for your SOC. The data model setup helps to quickly drive and get rules created without having to need a new data source or a new rule. You just send that new data source to one of the data models, and you already have the rules there, and it automatically starts generating alerts based on those existing rules.

I would rate their support a seven out of ten. Sometimes, you get some solid people, but other times, it takes a bit of effort to get across what the actual issue or situation is. This is a challenge for any help desk organization particularly when you have lots of customers calling in and all of them with unique situations.

Neutral

We were using another tool previously. There were many reasons for switching. One big reason was the ease of integration of data into the tool. With the previous tool, to integrate a normal log source, such as an identity access tool, into the SIEM, we had to pay for PS engagement in order to even get the information in. Splunk has native integration with all these different apps. It is natively tied to all the different IDAM and ID tools out there. It is very easy for the team to implement it themselves. They do not have to go and get extra help to do it. They can install the app, get the keys and authentication set up between the two new tools, and then it just works.

Our deployment experience was just fine. I deployed Splunk at other companies before, so it was not new to me to do it with this company. The pricing and everything else went smoothly. The Splunk team was super helpful. They were very engaging. They helped to build it. We were able to get access to Splunk engineers who worked for Splunk, and they helped define the sizing. They went through and evaluated what our current solution was and helped us build out what we needed in order to meet and exceed that capability. Splunk has been super helpful.

For one environment, I am using the public cloud, and then for my other environment, I am using an on-premise setup. We have the AWS cloud.

We did use professional services to help with this. At my previous company, I would not have used professional services because I had a team of Splunk architects who knew what they were doing and knew how to do it. In this company, we were moving from a different technology to Splunk. My teams were not as familiar with Splunk, so I needed the extra help. We had the help of Splunk professional services and third-party professional services. We used Verizon.

The environment that we had set up has been running for two years. I had planned that initially for a certain amount of growth, but within the first year, we had already doubled the size of the data. It was able to handle the information so much more efficiently that a lot of the groups that were not integrated into the SIEM before started saying that they needed their data monitored as well, so we started growing quite quickly. It has helped us exponentially.

I evaluated several SIEM solutions before choosing Splunk. With Splunk, we had the ease of integration of data because getting the data in as quickly as possible and making use of it is important. Another area is that in certain tools, you have to generate one rule per data source, whereas Splunk has the data modeling capability where you have all the data sources going into the data model, and then you create one rule per data model instead of per data source. It helps reduce the workload for the system, so there was that aspect of more performance than any other solution.

I would rate Splunk Enterprise Security a nine out of ten. It is a market leader from an SIEM perspective. It has bells and whistles, but it does not let you get lost in those bells and whistles. It helps drive the analyst into what is the most important thing that they need to focus on, and that is protecting the company. They are able to be more efficient. They are able to help do what the mission of the company is, and that has enabled the company to not worry about the security part. Without a risk, they are able to do their business and help their customers.

We are using it for our SOC. We integrated it with our SOC.

We have had a couple of benefits. We are using it as a SIEM. We do log extraction and analyze them. We also use reporting and dashboards. We are using it for security assessment. It is very helpful for us to be able to see what it has been like. Based on the incidents, we can take measures to cover any gaps.

Our security posture has definitely improved since we started using Splunk Enterprise Security. We are scaling it in stages. We are not yet using it at an optimum level. We are using 50% to 60% of it. Based on the analysis that we are doing, our security posture has definitely improved.

The end-to-end visibility that it provides is very important for any organization. It is the right tool to get end-to-end visibility. We get 360-degree visibility.

Like most organizations, we are moving to the cloud. We have a hybrid environment. We have a SaaS, PaaS, and on-prem environment. It is a very good tool for identifying security incidents. There are statistics, and we can go back and forth to see exactly what happened.

Splunk Enterprise Security has improved our organization’s ability to ingest and normalize data.

It is a real-time tool. What I like about it is how they are able to bring all the logs into a single dashboard. We can quickly get what we are looking for. We have queries. That is amazing.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. We are not using it completely, but based on our usage, it is up to our expectations.

Splunk Enterprise Security has helped reduce our mean time to resolve. Previously, if an incident used to take us an hour, it now takes us a few minutes.

The dashboard is amazing. Out-of-the-box dashboard is very good. It is very user-friendly. It is out of the box. With a few clicks, the dashboard is there.

Its performance can be better. Sometimes, it takes longer when we do queries.

Their support can also be better.

We have been using Splunk Enterprise Security for the last seven or eight years.

It is very stable. I would rate it a ten out of ten for stability.

Scalability is there. I would rate it a ten out of ten for scalability.

As we are increasing our cloud and on-prem infrastructure, logs are increasing. We have to come up with policies on our side for log retention and other things, but we are able to collect logs from multiple sources.

I would rate their support a seven out of ten. Its implementation was a big challenge, and sometimes, the ticket went from one person to another person.

Neutral

We were using Alert Logic. It is good, but there are performance issues with the dashboard and other things. At times, it takes ages, whereas Splunk Enterprise Security is real-time.

Its deployment is not easy. It is difficult. It is a one-time job, and once it is done, you get the benefits. 

We had to engage a third party or a channel partner. It was the right choice.

Application-wise, we have seen a lot of improvement in our application delivery. On the security side, we are still learning.

It is pretty straightforward and based on the sizing. If I compare it with other competitors, it makes sense.

We looked at LogRhythm, but Splunk is more mature.

I would rate Splunk Enterprise Security a nine out of ten. It is not a ten because of the support.

We currently use Splunk Enterprise Security for security monitoring. Previously, we relied on AWS native monitoring tools. In that setup, logs were forwarded to a Splunk dashboard which was also used by our L1 and L2 support teams to evaluate incoming support cases.

CloudWatch, the native AWS monitoring tool, offers limited metric detail and a complex navigation experience across different data streams. In contrast, Splunk empowers us to create custom dashboards. This allows our team to quickly access the relevant dashboard and perform root cause analysis during an incident, streamlining our response process. This is how Splunk has been instrumental in enhancing our efficiency.

Splunk dashboards significantly improved our incident response by providing a single view of all relevant information. This allowed us to quickly identify and address issues. Additionally, Splunk's customization capabilities enabled us to tailor dashboards to focus on the specific metrics most critical to our operations. As a result, we could easily create dashboards highlighting high-priority metrics. Splunk's real-time data ingestion allowed for near-instantaneous monitoring. Logs generated in AWS were pushed to Splunk almost immediately through a collector. This enabled us to use the dashboard to investigate these logs in real-time. Furthermore, integrated identity and access management facilitated easy sharing of dashboards with other users.

Splunk itself may not have directly improved collaboration on security issues. However, in the event of an incident requiring investigation by a senior security professional, Splunk simplifies the process. L1/L2 teams and support engineers can easily point to the relevant dashboard connected to the issue. Additionally, these dashboards provide valuable features for further investigation, post-mortem analysis, or what they might call building the analysis or post-mortem report.

Splunk has been helpful for customers in resolving a wide range of issues. Whenever a problem arises, IT staff can quickly identify the root cause using Splunk. This allows for faster issue resolution, which in turn helps businesses retain customers and maintain their overall value.

The most valuable feature is the custom dashboard feature.

Splunk is robust and user-friendly.

Splunk's ability to analyze malicious activities scores an 8 out of 10, but there's room for improvement. By analyzing emerging patterns, Splunk could identify and predict potential threats more effectively.

I have been using Splunk Enterprise Security for three years.

I would rate Splunk Enterprise Security's stability 9 out of 10. 

Splunk Enterprise Security was able to meet our scalability needs.

We previously used native cloud monitoring. Now, we supplement it with Splunk to benefit from its additional features.

While the initial deployment was simplified by the availability of Splunk connectors in the public cloud, additional effort was required. We had to write the infrastructure as code, build the connector itself, pull the logs, and push them to the Splunk endpoint. These steps, including connection and configuration integration, would equate to moderate effort for a single person.

For those considering a SIEM solution but prioritizing affordability, Splunk is a strong contender. My experience using Splunk for several years has been positive, with minimal glitches. Additionally, its user-friendly GUI allows new users to contribute immediately. Splunk is also feature-rich, offering a wide range of functionalities out-of-the-box. However, remember that quality often comes at a cost. Considering these factors, Splunk emerges as a cost-effective solution.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk did not help us reduce our alert volume because it was not integrated directly for alerting. It was integrated for monitoring. The alerting happened from our native cloud.

Splunk is self-sustainable and doesn't require maintenance.

We have never needed to contact Splunk support because their documentation is good enough for us to resolve the issues ourselves.

Splunk Enterprise Security is a stable, feature-rich, and user-friendly product with a well-designed graphical user interface.

We use Splunk Enterprise Security to analyze log data for log monitoring, creating use cases, onboarding, and incident response.

We wanted a single security tool that could immediately identify notable events that could be reported as security breaches, and then enable us to take intelligent action without having to purchase additional security tools.

We have two customers with hybrid cloud solutions. Neither customer is fully cloud-based. Our implementation is based on the customer's requirements, such as compliance, data ownership, and administration. We plan the implementation of Splunk cloud or hybrid models based on these requirements. We discuss the benefits and solutions with the customer to ensure that we are not breaching any compliance policies and that we are selecting the right model for their needs. Because we have multiple customers, we must also consider how to manage this process effectively.

We use multiple cloud environments for our clients, including AWS, Azure, GCP, and private cloud. We can easily integrate Splunk Enterprise Security and segregate the logs based on the type of index we create for each customer. When we create different indexes, we can segregate the types of logs based on the device type. This makes it easy to separate logs from different universal providers, different machines, and specific types of indexes dedicated to particular customers or groups.

We use threat topology and MITRE ATT&CK to create and integrate use cases for network framework detection and visualization in Splunk. Splunk helps us segregate and integrate use cases based on different threat detections and provides a complete dashboard view of how use cases match with detected threats.

When discussing MITRE ATT&CK and topology, we sometimes encounter use cases where we must ensure the logic is properly implemented to detect the threat and trigger the alert. This is because log access may involve specific teams and their associated MITRE ATT&CK tactics and techniques. We must be very specific about the information we are observing in order to derive the correct information and framework topology.

Splunk is one of the easiest solutions for analyzing malicious activities and detecting breaches. It is flexible enough to work with small teams, and it provides a broad view of the data, allowing us to segregate and fine-tune the analysis based on the customer's requirements.

Splunk Enterprise Security can help us detect threats faster when it is properly configured. We have implemented over 400 use cases for specific types of malware and other threat detection. In over 70 percent of environments, Splunk is able to detect threats faster than other solutions.

It has helped our organization improve by integrating with cloud providers. Splunk enables us to blacklist specific data types and ranges to reduce our losses, based on our requirements.

We have reduced our alert volume by around 50 percent with Splunk. When we first started creating and using Splunk use cases, we received around 700 alerts. Splunk can merge different sources of use cases into one to identify false positives, which has been very helpful for us.

Splunk has helped speed up our security investigations by almost 70 percent. We have a dedicated incident response team. They use the Splunk incident reports to help with their investigations. 

Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools.

We can easily identify the number of security devices and users that are authenticated on the network and present the information to the executive team.

Splunk can improve its third-party device application plugins.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The Splunk technical support is good but their call times differ.

Positive

I previously used IBM Security QRadar, Azure Sentinel, and McAfee Network Security Platform. Splunk Enterprise Security is designed for multiple platforms and is easier to implement.

Splunk is much faster when used correctly and has many tools. With the exception of Sentinel, the other solutions do not have many tools. With Sentinel, we have to define the indexes and all those things, such as the aggregation of logs. It is easy to do searches in Splunk, even in a large environment. I find Splunk to be more efficient than the other solutions I have used in the past.

The initial deployment is straightforward. We install the solution and define the roles of each server and the data it will store. The deployment in our test environment took 13 hours.

We have seen a return on our investment in Splunk. The variety of options that Splunk provides is a great selling point for our customers.

While Splunk is more expensive than other solutions, we would still choose it because of its capabilities. Splunk is a leader in the field and provides a wider range of data and security features than other SIEM solutions.

I would recommend Splunk over any of the less expensive SIEM products. I recommend the license-based solution over the user-based solution that Splunk offers. If I had to recommend any other SIEM other than Splunk, it would be Microsoft Sentinel.

I would rate Splunk Enterprise Security seven out of ten.

The threat detection capabilities that we get by default are very basic. However, if we want to implement the most effective threat protection on the internet, we need to purchase a relevant solution for intelligent threat protection. This will provide us with more feeds for enterprise security and help us to integrate data by matching the data to the target and to the security with our Splunk.

We have 60 percent of our customers using Splunk Enterprise Security in their environments.

Splunk maintenance is required for updates. 

Splunk provides a centralized monitoring platform, eliminating the need to switch between different platforms to monitor security. Splunk provides a clear view of different security losses and incidents, and we can onboard any number of devices as needed. We can monitor our entire environment from one place, requiring only one team to monitor it. Splunk adds a lot of value currently.

We essentially use Splunk for our Security Operations Center (SOC). All of the notables that we create for the SOC are done in Splunk Enterprise Security. It is our SIEM.

I cannot put a value on it, but it has been pretty good. Previously, we used to use ArcSight. I used to do incident response when I first joined the SOC, and there were times when I used to sit down and run a search right at the start of my shift, which is at 7 AM, and I used to hope that it would be run by the end of the shift at 7 PM. I used to hope that it would run in 12 hours and not time out. When we got Splunk, it was a game changer. It took seconds to a minute depending on how intense the search was.

We monitor multiple cloud environments. It is easy to ingest data in Splunk. Based on what I hear from our customer success manager, he has customers who have issues ingesting logs, but for me, it is one of the easiest things ever. Their documentation is fantastic.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is very important for us. When we first got cloud, it was like the Wild West. Anyone could spin up their own cloud infrastructure, and we would not know about it. It was public. We did not know what they were doing with it. Now, we have a better grasp and understanding of what is out there, so Splunk makes it easy for us to keep track of our endpoints that are public-facing.

Splunk Enterprise Security has helped reduce our mean time to resolve. As compared to ArcSight, it has saved at least three to four hours per incident. We utilize a SOAR platform. We do not use Splunk SOAR. We use a different SOAR platform, but with the combination of Splunk Enterprise Security and our SOAR platform, we are able to cut down our mean time to resolve. The time saved varies depending on the case. A normal case would probably take less than ten minutes per investigation. A critical P1 case would take more time, but a normal day-to-day case would take less than ten minutes for our analysts to do their work. A normal case is where a user clicks on a phishing link in an email, or your EDR solution says something happened and there is a threat actor in your environment moving laterally trying to access data.

The correlation searches are most valuable just because we are able to do things like RBA. One of the things that we started pretty recently is our insider threat program, and it has been pretty good, especially using RBAs as our framework for the insider threat.

The UI could be better. This is applicable to Splunk in general. I know that a lot of people who get their hands on Splunk are hesitant to use it just because they find it overwhelming. There are a lot of options. If you open Google.com, you just have a search bar. You just search and hit "go," but when people look at Splunk, they are just overwhelmed. I see that with our analysts. Even after training, if they do not use it every day, which they should be doing, they kind of lose it.

Its learning curve is a bit steep. It is hard for users to use it. For individuals who know how to use it, it is fantastic. It is great. For example, if you are a Splunk Cloud customer, and you had an outage or there is a maintenance window, those individuals who are power users would know immediately when it happens or they would know that there is a maintenance window coming up because they are the experts. They are the SMEs on their teams, and they are the ones creating value using Splunk. Individuals who do not know how to use it are intimidated.

We have been using Splunk Enterprise Security since 2017. It has been about six years.

Its stability is amazing. It is always up. It is fantastic.

It is awesome. When we first purchased Splunk Cloud, our ingest rate was about one terabyte or one and a half terabyte. We moved from the ingest-based license to the workload-based license three or four years ago, and now, we ingest about 10 to 12 terabytes. It is handling that just fine as if nothing has changed.

I would rate their support a six out of ten because there are times when someone picks up a support case, but they do not know what they are doing. I have to guide them. It is like, "I have already done the research. This is what needs to be done. There you go. Do it." I expect a little bit more from support in terms of having the knowledge upfront.

Neutral

We had on-premises ArcSight. We had one guy run it for our enterprise. Our enterprise has roughly over 130,000 people. We are a global company, and we had one guy run the entire infrastructure. We could tell when he took days off because it would not work. When we moved to Splunk, we went to Splunk Cloud immediately. We were one of the first Splunk Cloud customers or one of the bigger ones. That is what I was told when we made the switch.

I do not know whether we have seen any cost efficiencies by switching to Splunk Enterprise Security because I was not there during the ArcSight days per se. I was there at the very tail end, but I would assume that we have seen cost efficiencies just because ArcSight was only used by the security team, whereas Splunk is used enterprise-wide, not just by the security team. It should be cheaper for us. The value is there. It is cross-functional.

I was not involved in its deployment.

Its time to value was about a year. It took us about a year because back in 2017, we were making that conversion from an on-premise ArcSight deployment to a Splunk Cloud deployment. We had to make sure that everything that was being sent to ArcSight was sent correctly to Splunk. We had to make sure that everything was in a common information model format and that we could rebuild the content.

Splunk Enterprise Security is cheaper than competitors, but I do not know whether it is just our contract. 

Everyone says that Splunk, in general, is expensive. I have talked to many peers within our industry, and I know a lot of individuals who are moving away from Splunk just because of the price. That is one of the reasons why we are looking at other competitors to see if anyone is doing something better than Splunk and has a cheaper rate.

I have looked at other competitors. We recently looked at CrowdStrike's LogScale solution. It feels like Splunk to me. I cannot say how we would reproduce what we have done in Splunk on the infrastructure side or backend. Our environment is uniquely different. Technically, I am the only person who runs Splunk for our entire organization, similar to the way the previous person ran ArcSight for the organization. If I were to compare apples to apples, Splunk to me is still number one in that category.

Splunk's community is the biggest benefit. It is so easy to go to Slack and hit someone up. There is a good chance that you will find someone out there who has run into the exact same issue that you are having. Their documentation is fantastic. Because I am the only one who runs it for our organization, it is easy for me just to Google it, find the document, and just follow it. It is as simple as that. It gets a little dicey with XDR and all the other things that are happening in the market, such as using a data lake. Instead of putting our eggs in one basket or using Splunk, we might use something like Snowflake.

I get introduced to new ideas by attending the Splunk Conference. In the year before last, someone did a talk about business email compromises. Within our company, we did something similar, and we did it about nine to ten months before the talk. I listened to the talk to see if we were doing anything different from what they were doing. I found out that we were doing the exact same thing essentially. I thought, "We could have done a talk like this too." These talks are very helpful. For example, they showcased the attack analyzer, and currently, we are looking for an automated online sandbox, just like the attack analyzer. We have been looking at cloud-based sandboxes that are out there. Being able to see it hands-on and how it interacts with Splunk makes it much easier for us to make that decision.

Overall, I would rate Splunk Enterprise Security a nine out of ten.