Splunk Enterprise Security Reviews

We essentially use Splunk for our Security Operations Center (SOC). All of the notables that we create for the SOC are done in Splunk Enterprise Security. It is our SIEM.

I cannot put a value on it, but it has been pretty good. Previously, we used to use ArcSight. I used to do incident response when I first joined the SOC, and there were times when I used to sit down and run a search right at the start of my shift, which is at 7 AM, and I used to hope that it would be run by the end of the shift at 7 PM. I used to hope that it would run in 12 hours and not time out. When we got Splunk, it was a game changer. It took seconds to a minute depending on how intense the search was.

We monitor multiple cloud environments. It is easy to ingest data in Splunk. Based on what I hear from our customer success manager, he has customers who have issues ingesting logs, but for me, it is one of the easiest things ever. Their documentation is fantastic.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is very important for us. When we first got cloud, it was like the Wild West. Anyone could spin up their own cloud infrastructure, and we would not know about it. It was public. We did not know what they were doing with it. Now, we have a better grasp and understanding of what is out there, so Splunk makes it easy for us to keep track of our endpoints that are public-facing.

Splunk Enterprise Security has helped reduce our mean time to resolve. As compared to ArcSight, it has saved at least three to four hours per incident. We utilize a SOAR platform. We do not use Splunk SOAR. We use a different SOAR platform, but with the combination of Splunk Enterprise Security and our SOAR platform, we are able to cut down our mean time to resolve. The time saved varies depending on the case. A normal case would probably take less than ten minutes per investigation. A critical P1 case would take more time, but a normal day-to-day case would take less than ten minutes for our analysts to do their work. A normal case is where a user clicks on a phishing link in an email, or your EDR solution says something happened and there is a threat actor in your environment moving laterally trying to access data.

The correlation searches are most valuable just because we are able to do things like RBA. One of the things that we started pretty recently is our insider threat program, and it has been pretty good, especially using RBAs as our framework for the insider threat.

The UI could be better. This is applicable to Splunk in general. I know that a lot of people who get their hands on Splunk are hesitant to use it just because they find it overwhelming. There are a lot of options. If you open Google.com, you just have a search bar. You just search and hit "go," but when people look at Splunk, they are just overwhelmed. I see that with our analysts. Even after training, if they do not use it every day, which they should be doing, they kind of lose it.

Its learning curve is a bit steep. It is hard for users to use it. For individuals who know how to use it, it is fantastic. It is great. For example, if you are a Splunk Cloud customer, and you had an outage or there is a maintenance window, those individuals who are power users would know immediately when it happens or they would know that there is a maintenance window coming up because they are the experts. They are the SMEs on their teams, and they are the ones creating value using Splunk. Individuals who do not know how to use it are intimidated.

We have been using Splunk Enterprise Security since 2017. It has been about six years.

Its stability is amazing. It is always up. It is fantastic.

It is awesome. When we first purchased Splunk Cloud, our ingest rate was about one terabyte or one and a half terabyte. We moved from the ingest-based license to the workload-based license three or four years ago, and now, we ingest about 10 to 12 terabytes. It is handling that just fine as if nothing has changed.

I would rate their support a six out of ten because there are times when someone picks up a support case, but they do not know what they are doing. I have to guide them. It is like, "I have already done the research. This is what needs to be done. There you go. Do it." I expect a little bit more from support in terms of having the knowledge upfront.

Neutral

We had on-premises ArcSight. We had one guy run it for our enterprise. Our enterprise has roughly over 130,000 people. We are a global company, and we had one guy run the entire infrastructure. We could tell when he took days off because it would not work. When we moved to Splunk, we went to Splunk Cloud immediately. We were one of the first Splunk Cloud customers or one of the bigger ones. That is what I was told when we made the switch.

I do not know whether we have seen any cost efficiencies by switching to Splunk Enterprise Security because I was not there during the ArcSight days per se. I was there at the very tail end, but I would assume that we have seen cost efficiencies just because ArcSight was only used by the security team, whereas Splunk is used enterprise-wide, not just by the security team. It should be cheaper for us. The value is there. It is cross-functional.

I was not involved in its deployment.

Its time to value was about a year. It took us about a year because back in 2017, we were making that conversion from an on-premise ArcSight deployment to a Splunk Cloud deployment. We had to make sure that everything that was being sent to ArcSight was sent correctly to Splunk. We had to make sure that everything was in a common information model format and that we could rebuild the content.

Splunk Enterprise Security is cheaper than competitors, but I do not know whether it is just our contract. 

Everyone says that Splunk, in general, is expensive. I have talked to many peers within our industry, and I know a lot of individuals who are moving away from Splunk just because of the price. That is one of the reasons why we are looking at other competitors to see if anyone is doing something better than Splunk and has a cheaper rate.

I have looked at other competitors. We recently looked at CrowdStrike's LogScale solution. It feels like Splunk to me. I cannot say how we would reproduce what we have done in Splunk on the infrastructure side or backend. Our environment is uniquely different. Technically, I am the only person who runs Splunk for our entire organization, similar to the way the previous person ran ArcSight for the organization. If I were to compare apples to apples, Splunk to me is still number one in that category.

Splunk's community is the biggest benefit. It is so easy to go to Slack and hit someone up. There is a good chance that you will find someone out there who has run into the exact same issue that you are having. Their documentation is fantastic. Because I am the only one who runs it for our organization, it is easy for me just to Google it, find the document, and just follow it. It is as simple as that. It gets a little dicey with XDR and all the other things that are happening in the market, such as using a data lake. Instead of putting our eggs in one basket or using Splunk, we might use something like Snowflake.

I get introduced to new ideas by attending the Splunk Conference. In the year before last, someone did a talk about business email compromises. Within our company, we did something similar, and we did it about nine to ten months before the talk. I listened to the talk to see if we were doing anything different from what they were doing. I found out that we were doing the exact same thing essentially. I thought, "We could have done a talk like this too." These talks are very helpful. For example, they showcased the attack analyzer, and currently, we are looking for an automated online sandbox, just like the attack analyzer. We have been looking at cloud-based sandboxes that are out there. Being able to see it hands-on and how it interacts with Splunk makes it much easier for us to make that decision.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We use Splunk Enterprise Security as the main SIEM system for our operation center. We use it for monitoring detection, and alert management.

We implemented Splunk Enterprise Security to help detect attacks on our network.

Splunk Enterprise Security is highly flexible, allowing us to create whatever we desire. This exemplifies its inherent power. The visibility it offers is notably robust. We can craft it to our needs and even utilize various frameworks within Splunk, prepackaged for security purposes. We possess distinct applications hosting diverse dashboards, catering to numerous security products, including those from different vendors.

The effectiveness of Splunk Enterprise Security insider threat detection capabilities, aimed at identifying unfamiliar threats, relies on whether we establish alerts based on the rules we formulate. If we construct rules incorporating user behavior criteria, the system functions optimally. It appears that there is an Extended User and Entity Behavior Analytics add-on available, which requires a separate license in addition to the enterprise security license. This add-on utilizes machine learning and encompasses multiple developed use cases. While it has limitations, it effectively serves the specific use cases it is designed for.

The threat intelligence framework within Splunk is also highly potent. We can ingest, link, and integrate external data feeds. Concerning IOCs, there are numerous pre-configured alerts within the system that rely on a feed of undesirable IPs. If one of these IPs triggers any of the alerts, such as those generated by our firewall's traffic logs, and the IP matches the bad IPs in the threat intelligence feed, the system correlates this information. If the flagged IP is detected within our network or appears in our firewall logs, an automatic alert is generated. We simply need to ingest the external feed. Subsequently, if the system identifies the IP anywhere, we will receive corresponding alerts.

I appreciate the new MITRE ATT&CK feature. I believe it's a valuable addition and reasonably priced. It seems the feature has been largely developed through marketing efforts, utilizing the capabilities of Splunk to display the MITRE ATT&CK map and the associated rules. This is important since MITRE ATT&CK encompasses over a hundred techniques. It presents the information to us based on the MITRE ATT&CK framework to illustrate ongoing activities. However, achieving a comprehensive understanding of each technique within the MITRE ATT&CK framework requires significant effort and adjustments.

Splunk Enterprise Security has enhanced our organization by offering increased visibility. If any adverse incidents occur, we are promptly informed. Even without configuring the custom rules, Splunk provides effective out-of-the-box rules that help prevent attacks. Consequently, it effectively halts these attacks. In fact, we have been able to detect and thwart potential attacks in their initial stages. This exemplifies the benefits it provides us.

Splunk Enterprise Security has helped to speed up our security investigations. We are now able to complete our investigations within three or four days. 

The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

I have been using Splunk Enterprise Security for four years.

I would rate Splunk Enterprise Security's stability a seven out of ten. This is because the system lacks built-in protection against certain issues. It alerts us when there are problems in the system, which we then need to address. However, these issues are not always easily fixable, setting it apart from other systems. For instance, sometimes the system slows down while we're working. This can occur when a new alert is implemented, leading to high resource usage and system instability. We are then required to identify and rectify the specific cause of this problem. This might involve disabling or adjusting the alert to ensure it doesn't negatively impact the system's performance.

Splunk Enterprise Security's ability to scale is good. I rate the scalability an eight out of ten.

The technical support is good.

Positive

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

I participated in the planning and implementation of Splunk Enterprise Security, as well as the creation of all rulesets and alerts. I am also configuring it to align with our technical framework.

Individuals who market Splunk Enterprise Security often claim that it can be deployed within half a day, which is quite amusing. While it is conceivable to perform the installation in that timeframe, the real complexity arises when we must establish connections with numerous systems. This involves accessing each system external to our main setup, configuring it, and directing the system to send its logs to Splunk. On the Splunk side, we encounter the need to create parsing mechanisms that allow proper data reading. This entails installing applications capable of correctly parsing the data, and addressing issues where parsing is inadequate. We then proceed to work with the data. Although Splunk provides some pre-configured rules, we also need to develop our own rules to identify specific events and potential attacks. The process of rule creation demands a substantial investment in writing rule sets. Additionally, integrating a threat intelligence framework becomes essential. We aspire to leverage the micro-framework we have established. Splunk Enterprise Security undeniably possesses considerable capabilities. Nevertheless, it necessitates continuous effort to unlock its full potential and achieve ongoing enhancements.

The solution's complete implementation may require up to one year. Throughout most of the deployment, we had a team of two members, occasionally expanding to three.

For the implementation, we used two integrators and Splunk Professional Services.

Considering the fact that Splunk Enterprise Security aids in thwarting attackers from gaining access to our environment, I would correlate this with a return on investment.

Splunk Enterprise Security's pricing is high. Larger companies may afford it, but I believe that in the current market situation, where everyone is facing challenges, financial resources are tight. Even stock market tech companies are embracing cost-saving measures. Expenses are now more constrained compared to a few years ago when companies had greater spending capacity. Companies are reluctant to make hefty payments. While Splunk is cheaper than Microsoft Sentinel, QRadar is priced at half the cost of Splunk.

Splunk Enterprise Security's licensing is typically determined by the data throughput we handle. Additionally, they offer an alternative pricing model which involves payment based on CPU usage. This newer model was introduced as a response to Elastic Security. However, Splunk enforces licensing in either scenario. 

I rate Splunk Enterprise Security a nine out of ten.

We do not monitor the cloud environments with Splunk. While we have several cloud environments, we avoid using Splunk for this purpose due to its high cost. To utilize Splunk, it would be necessary to place the Splunk engine in the cloud and gather all the logs from various cloud sources, resulting in substantial expenses due to the large volume of logs. As a result, our primary usage of Splunk is on-premise. Instead, we employ different systems to monitor the cloud, generating alerts through various security mechanisms. These alerts are then processed in Splunk, reducing both data traffic and costs.

Splunk Enterprise Security's capabilities to analyze malicious activities and detect breaches are similar to those of other systems. Its effectiveness depends on the rules we develop within it. To truly maximize its value and tailor it to the organization's needs, a significant amount of additional work and utilization of professional services are required.

The reduction of the alert volume presents a challenge due to the X number of personnel in the security alert center. They can effectively handle only Y alerts per day without experiencing fatigue. When the volume surpasses this limit, they tend to merely open and close alerts without thorough investigation. It's as if they've become weary of the process. Therefore, we must determine the optimal number of alerts per day and adjust the rules accordingly. The primary objective is to achieve a statistically reasonable number of alerts per day. This number should be somewhat higher than the current rate, but not three times greater, as exceeding this threshold would render their efforts ineffective. Conversely, if the number of alerts is too high, the personnel's capacity to take action is undermined, resulting in a lack of meaningful outcomes. Striking a balanced middle ground is imperative. This approach enables us to effectively identify and address crucial matters while ensuring our personnel can thoroughly investigate each alert.

Depending on the goals an organization aims to achieve, if their sole focus is on finding the most economical solution and they do not prioritize comprehensiveness, then QRadar would suffice. However, if they seek instant access to answers, I would recommend Splunk Enterprise Security.

Splunk Enterprise Security is deployed across our entire network.

Maintenance is necessary for the system, and updates are needed periodically. Whenever we acquire a new system, we must connect it to Splunk.

Resilience constitutes a crucial component of Splunk Enterprise Security, contributing significantly to the safeguarding of our system.

I recommend Splunk Enterprise Security for organizations that have the budget, time, and skill to properly utilize the solution. I do recommend paying for Splunk Professional Services.

Most times I use Splunk Enterprise Security for log analysis, and I also use it to create alerts for any security incidents. There are some alerts I set up on my endpoint, and once the alert is triggered, I get a notification. I also use it for visualization. I create my own dashboard to send to my managers for analysis, for reports, and all of that.

The ability to easily aggregate data and make meaningful reports is what makes Splunk Enterprise Security excellent. If I want to search for the number of failed passwords, I can go to my index, write my query, and create a report quickly. When my manager wants me to create a report concerning a particular incident, I go to my dashboard, type my query, create my dashboard from there, and everything works out smoothly.

They should put out more educational resources for users to learn how to use Splunk Enterprise Security. If they could have a manual or guide similar to Linux, where users can search and see various commands for different searches, it would help users navigate their way around the product more easily so it wouldn't be so complex.

I have been using Splunk Enterprise Security for over two years now.

There was one instance when I was trying to use the Forwarder and it wasn't working properly. Apart from that, Splunk Enterprise Security has been perfect for me.

When trying to connect to other endpoints using the Splunk Enterprise Security Forwarder, I encountered connectivity issues. This occurred while setting up for a company, and the connection wasn't working properly.

I have used Wazuh.

The pricing could be reduced to make it more accessible.

I would rate Splunk Enterprise Security an eight out of ten.

The main use cases are with the firewall, DNS, and Windows events. These are the three basic ones to start with. Once they're done with all the compatibility and introductions, custom use cases will follow.

It's currently in the implementation phase. But, it will surely improve response time and make it easier to collect and check everything in one place. Instead of going to multiple dashboards and running multiple queries, all can be integrated into one dashboard. You can just click and then go drill down into deeper levels and get more information.

Splunk Enterprise Security provides end-to-end visibility into our environment. It's very important because: 

1. This tool is used as SIEM implementation. End-to-end visibility is really important in such a case; if something is missed, it's an error. 
2. Also, we belong to the retail sector with over 700,000 employees. We have a lot of endpoints and everything is open, so end-to-end visibility is essential.

It helped our organization to ingest normalized data. With Windows, DNS, firewalls, and the open use cases we've checked, we've gotten more data in. The compatibility with the add-ons helps us add more data in the same compatible format and use data models to elaborate and make it faster.

The investigation dashboard provides a lot of value. In the same dashboard, we get all the drill downs, raw events, and information about what the particular user is doing or where the vulnerability started, all in the same dashboard.

It helps us reduce our mean time to resolve. Now, we can see all the incidents on a single dashboard and it could be assigned to the analysts at the same time on the incident review. People can start working on it right away, so it does reduce the mean time to respond.

Splunk's unified platform helps consolidate networking, security, IT, and IT observability tools. But our major focus or use case is more on the security side. We don't use observability, so we just use logs, matrices, and other security-related features.

Incident review is pretty valuable. You can have everything in one place, review it, and assign things to analysts, and they can work on it. 

We also have different teams segmented; it is not one team. So, we brought that using the teams method in Enterprise Security, which I think most people are not using. This way, different users have different dashboards or lists of incidents.

One thing is multi-tenancy, which is not currently not there. The concept of Enterprise Security assumes only one team using Splunk, but in many companies, including ours, that's not the case. We have multiple security teams operating under one umbrella, with different people using it for different smaller companies. If multi-tenancy could be incorporated, it would surely help us. 

We started with it last year. We integrated it last year, and the SOC team is now handling it. They're making it SIM compatible, introducing the first few use cases, and working with the data. 

So, we bought the license nearly a year ago, and started implementing it about six months ago.

Stability is there, but every release has some bugs. For example, in this release, indexes were down, searches were down, and the monitoring console wasn't working. So, it's a bit tough.

It's still being implemented, and a lot of work needs to be done. But, considering the pricing and everything, I would give it a seven out of ten. It does have a lot of use cases, but a lot of work has to be done beforehand. Our data wasn't totally SIEM compliant because we used prebuilt solutions and changed the data format.

We use Splunk Operator on Kubernetes, so it's not on-prem or Splunk Cloud. Customer support is not good at all.

For example, we upgraded the system on Saturday and raised an incident. With Operator, you can only raise a P3 incident, so we needed to escalate it and get the developers involved. Support cannot handle such cases. We always have to get the developers involved to get the issues fixed. This happened very recently. But it is very common; the support for Kubernetes is zero.  

The company didn't have a SIEM solution. It was more of SOAR, so we used FortiSIEM for that. We still use it. 

Setup is not that difficult. You just have to install the search head cluster and a normal app. Data normalization is the main thing required for Enterprise Security. SIEM compatibility is the most important thing. If it's not there, then it won't work.

The deployment of the solution is pretty simple, if your data is SIEM compliant. If not, then you need to make it SIEM compliant. Otherwise, you cannot use the solution.

We have a Splunk partner that helps us with integration and other stuff.

Pricing is a bit costly. It always is.

We considered a couple of other brands. We ran a couple of POCs with other enterprise tools.

Since we've been using Splunk for nearly four years, it was easier to incorporate Enterprise Security. We did try other SIEM solutions like Fortinet, but since Splunk was already there in place and had all of our normalized data, it made more sense to use Enterprise Security.

We use Splunk Enterprise Security to ensure the security of our endpoints, including corporate workstations, tracking proxy logs, and all of the other benefits that Splunk Enterprise Security brings, including observability and visibility into the environment.

We run Splunk Enterprise Security on a single search head, and it talks to about nine separate clusters. It's a hybrid environment of on-prem and AWS. Ideally, we will migrate that to a search head cluster for Enterprise Security for high availability. Then, in the upgrade process, we generally have about two hours of downtime when we upgrade Enterprise Security. Ideally, moving to the cluster environment will allow us to mitigate that entirely. So, we did some assessments earlier in the year. We've gotta do some finalized testing, but we're hoping that will eliminate almost the entire two hours of downtime for our customers when upgrading. Then, it's two hours from start to finish to get the search head back up, and that does not include backfill time or anything like that. It could be a good full workday. So getting that workday back is going to be very important for us, and that's where I think we're gonna end up evolving for the Enterprise Security environment.

One benefit we have seen using Splunk Enterprise Security is keeping it all integrated, so no jumping between tools during investigations is the biggest benefit from the analyst's perspective. When we're setting up an investigation, it allows them to use one tool versus having to compartmentalize all the tools together, link it together, document it, and ultimately end up in one spot. Using Enterprise Security as it allows for integrated tracking for the investigations.

It's very important that Splunk Enterprise Security provides end-to-end visibility into our environment because not seeing something is a potential risk to the business. Having that visibility also assures the business, all the way up to the C Suite level, that there is coverage. And if not, we at least have that identified as an uncovered portion.

As long as we can point the data into Splunk Enterprise Security, it is easy to identify security events across cloud, on-premise, and hybrid environments. Getting it into Splunk is typically the challenge because it needs to be in a usable format. So once I've got it properly shaped and tagged, the rest trickles down. Generally, there are a lot of good TAs for getting data into Splunk around the cloud providers. So we don't have to customize it as much. It's just about getting it implemented, going through the checklist, and doing our due diligence to make sure we have the coverage we need. We will see events as long as they're flowing into Splunk. Once it gets into the data models in Enterprise Security, it will show up.

As far as ingesting data, Splunk Enterprise Security specifically hasn't helped. We shape and normalize our data to meet Enterprise Security's needs. So, we did that as a preemptive during our initial assessment. What does it come in as? What do we want it to look like? How can Enterprise Security more optimally use it? Will it hit the data models? Will it show up? Things like that. So, a lot of that is already there before Enterprise Security, but then using the data is where Enterprise Security shines. It makes the data more usable across all data sources. We don't have to know what to look for in each data type. We could go to the data model and view it.

We've increased our alert volume a little bit, not in a bad way, but getting new detections. The risk-based alerting has decreased. So what is happening elsewhere in the environment correlates with that event, and those risks are bubbling up to the top, whereas somebody getting locked out isn't as important as an account takeover. It's hard to portray that image with one event, but a series of events on the timeline makes it a little easier.

Splunk Enterprise Security lets us know who owns what hardware, who should access it, and who shouldn't, more specifically, during an investigation or escalation path. So we know there's a problem. Who do we talk to next to start that process and up the chain? We have a lot of that in there as well, which helps.

Splunk Enterprise Security has generally helped reduce our meantime to resolve. How much is hard to say because it depends on the investigation's scope and scale. It does help the analysts get a clearer picture of what's happening everywhere in the environment. 

Enterprise Security will automatically correlate those events for us. When an analyst gets assigned to that investigation, it becomes looking at the picture and putting the puzzle together versus having to go through a threat hunt or find those indicators and then identify the account lockouts and takeovers. It's already in one pane of glass, and then that gets us to the meantime to resolution quicker. 

It has decreased our mean time to detection, especially for the high critical alerts. When we leverage that risk-based alerting, we can say, alright, multiple events have now happened to propagate this into a larger event instead of trying to correlate that as an individual or a team of analysts. Ad hoc is going to always be slower than automatic. Doing it in the back end means my analysts get there and get the job done quicker.

Splunk Enterprise Security has helped with our organization's resilience. We generally use observability metrics to determine the state of the hardware and the status of the environment at the time, so that has been a good point. It's definitely made us more resilient to figure out what happened post-incident and on what time scale and then go back and try to either remediate or mitigate that wherever possible. The historical context is just as valuable as their live real-time learning context.

The most valuable feature of Splunk Enterprise Security is the threat intelligence integration because essentially having to go out and correlate all the data on our own becomes convoluted. We don't have the resources, so having that included in the product makes it easier for us.

For us, the area that Splunk Enterprise Security can improve is performance optimization. Enterprise Security is so critical that right now, we're working on getting it to a clustered state to have high availability. The challenge there is hardware procurement and utilization. It's very resource-intensive. A type of performance optimization would generally be a huge improvement.

I have been using Splunk Enterprise Security for six years.

Splunk Enterprise Security seems stable to me. I haven't seen many issues, so I'm looking to try and test the latest version.

Scalability is a mixed bag. So, when we first started Enterprise Security, they told us not to cluster it. Now they're recommending we cluster it. We haven't gone down that road yet. I am looking forward to it. But if they say it can scale, they have customers that have done it. We gotta go through the growing pains of implementing it, rolling it out, and making sure it's ready to go. I think it's possible, but I have no formal experience yet. I am looking forward to it.

We started in Splunk, used it historically, and saw the product's value. It becomes the other data that would not be allowed for business reasons. How can we leverage that to provide value for the business? I know a lot about searchability this year, such as trace logs and metrics. These are generally good, but some trace stacks can be a lot of ingestion against our license. If we could put that in somewhere, that would not be as cost-effective, ideally. The trade-off is performance. Splunk is very performant. It does its job well. It's just a little pricey for the non-business critical logs.

The deployment is generally good. We must stand up the search heads, get them ready, tie them into the index clusters, and then deploy. Generally, we don't expose anything to the customers until it's production-ready. So deploying it was just getting it out there and built, doing some finalized testing to make sure it's ready to be used by the end customer. 

We implemented Splunk Enterprise Security ourselves. Through Splunk, we've engaged some professional services to ensure that our plan of attack is moving in the right direction. Professional services have also provided a lot of guidance.

We have seen a return on investment with Splunk Enterprise Security. Getting that holistic view. Splunk gives us a better picture of what's going on in our environment. Without it, we would have to go hunt for it. It's like Google searching for logs. It's easy, and everybody uses Google. So it's time-tested in the market. It's just about how much data we can get in, how we're storing it, retention, pulling it back, and what goes with that associated.

While Splunk offers generous developer licenses and obtaining annual licenses is straightforward, the cost is a major consideration. As open-source competitors become more sophisticated, Splunk will need to address this pricing issue in the future.

We have not used other SIEM tools in the past, but we are evaluating other tools. We don't want to migrate away from Splunk. We want to replicate it at a larger scale for non-security-based data, such as application and developer data. Anything they want to throw in and search is fine. But at Splunk's current cost, it is generally very expensive to do non-business-critical logs in that environment.

I would rate Splunk Enterprise Security eight out of ten. Things that could be better would be further integrations into other security tools. I know a series of threat intelligence feeds can be integrated, and I'm sure they are slated. It's just a matter of getting the resources to integrate them.  Splunk Enterprise Security is a solid product. I run it in my home lab as well. It's generally one of the better Splunk apps.

We monitor secure events and notable events in the system and watch for outside intrusion. We create a lot of dashboards to respond to these events. It's used to monitor our live system, and as things occur, such as alarms and other notifications, it's really helpful.

We've captured many security intrusions and all kinds of threats trying to access the system and cause issues, particularly with the FAA in Alaska.

It's been great for us so far.

Splunk Enterprise Security provides end-to-end visibility into our environment is really critical. If we don't capture these events and something happens in the system, it could cause havoc to the telecommunications system in Alaska and really mess up air traffic.

Splunk Enterprise Security has been fantastic in helping us find any security event across multi-cloud, on-prem, or hybrid environments. I would give it a ten on ten.

It 100% improved our organization's ability to ingest normalized data. Splunk's ability to identify and solve problems in real time has been great. We use it in real-time every single day, 24/7.

Moreover, it helped us reduce our mean time to resolve. 

It helped us improve our organization's business resilience. We have great impressions of its ability to predict, identify, and solve problems in real-time. 

It 100% helps us consolidate networking, IT security, and IT and observability. Just being able to have everything in one spot together, a one-stop shop, is huge.

The dashboards let us dig deep into our actual system. Our system is spread throughout Alaska with about 70 sites, each with all kinds of equipment. Splunk Enterprise Security helps us mine through that data and look for security events.

I have been using it for about ten years now. We use it in our system in Alaska. Basically, it's the software we use to do a lot of our monitoring of the system and dig deep into the data.

It's been great. The site is constantly up, and it's been really easy to adjust the data.

It's been pretty good. I've never had to deal with it personally.

Ever since I started here, we've been using Splunk.

I'd give it a nine out of ten. There's always room for improvement, but Splunk is pretty great. It's one of our main tools.

Splunk Enterprise Security serves as our primary tool for endpoint detection.

Our organization manages security across multiple cloud environments. Splunk Enterprise Security is a valuable tool in this process, offering a comprehensive dashboard that centralizes monitoring for all our cloud deployments. This unified view allows us to efficiently track security posture and identify potential threats from a single location.

Splunk Enterprise Security offers strong capabilities for detecting insider threats. This security platform excels at analyzing data from a variety of sources, allowing it to identify unusual user behavior patterns.

It does a good job of analyzing malicious activity and helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume and helps speed up our security investigations.

In our financial institution client environment,  The insider threat detection capabilities allow us to closely monitor credit and debit card transactions for any signs of compromise. By leveraging Splunk's capabilities, we can proactively identify and address potential security threats that might impact our client's financial data.

We have improved our incident response time with Splunk.

Splunk Enterprise offers a variety of apps that cater to different needs. These apps provide features like directory management, add-on and data model control, report dashboards, and alerts. Notably, some of these functionalities are available in the free version. Additionally, there are separate apps for security purposes. Our EMEA region has its own set of apps, allowing them to upgrade, maintain, and manage separate dashboards specific to their requirements.

Dashboards can be customized to allow users to easily monitor specific data relevant to their needs. This might include data segmented by country, region, or even customer credit card information. By customizing the view, users can quickly identify trends and gain insights into areas of particular interest. Additionally, dashboards can be configured to automatically display default information or alerts upon opening, further streamlining the monitoring process and ensuring users can find the specific data they need right away.

Splunk Enterprise Security is a valuable tool that allows us to monitor data from the APS daily. This monitoring focuses on the success or failure of APS calls. Successful calls are identified by a status code of 200, while unsuccessful calls are indicated by a status code of 400 or any other code. By monitoring these codes, we can proactively identify situations where the intended data retrieval fails due to backend server issues. This distinction is important because it helps us differentiate between failures caused by backend server problems and those resulting from issues with the monitoring team's ability to send requests. This clear separation allows a dedicated team to investigate these specific backend server failures and implement resolutions.

Data profiling, data onboarding, and data maintenance are all crucial steps in ensuring the quality and usability of our information. However, encountering missing files disrupts this process. When files are absent, troubleshooting becomes difficult, and performance issues inevitably arise.

I have been using Splunk Enterprise Security for many years.

Splunk Enterprise Security is stable.

The initial deployment is straightforward.

I would rate Splunk Enterprise Security eight out of ten.

Splunk Enterprise Security is a powerful security solution that offers flexibility. This flexibility empowers our team to adapt and respond to evolving threats. With Splunk Enterprise Security, we have the tools and adaptability to effectively address whatever security challenges we encounter.

I recommend Splunk Enterprise Security as the most suitable solution for monitoring and protecting our data.

We use Splunk Enterprise Security to monitor the network. We use the solution wherever there's a problem with the cell phone tower.

When we see a problem, Splunk Enterprise Security provides many details you can use to diagnose and determine what needs fixing.

The solution's most valuable feature is the dashboard, which allows us to see everything on the same page and provides easy visibility into problems.

Splunk Enterprise Security has helped us find security events in our on-premises environment.

It has helped improve our organization's ability to ingest and normalize data. Splunk does a good job of identifying and solving problems in real-time.

We have reduce our alert volume by 80%.

The solution provides relevant context to help guide our investigations. Splunk provides pretty detailed information. Based on that information, we can assign it to different teams.

It has helped speed up our security investigations by 40%.

Splunk Enterprise Security has helped reduce our mean time to resolve. In most cases, we're able to solve issues in less than 45 minutes.

Sometimes, the data does not match what we're looking for, or the tool contains incorrect data.

I have been using the solution for two months.

Splunk Enterprise Security is a very stable solution.

The solution provides good scalability.

The technical support team responds quickly every time we contact them.

We have seen a return on investment with the solution because it has reduced the time it takes to fix our problems.

Overall, I rate the solution a nine out of ten.