Splunk Enterprise Security Reviews

We have integrated different tools to get files from various types of endpoints. We also have Check Point. There are a few Windows use cases for brute force and code block attacks, and we use Splunk to detect when a user is logging in from another country where we don't do business. Splunk is integrated with our AWS environment, so we ingest logs from Amazon CloudTrail, GuardDuty, and other solutions. 

Without Splunk Enterprise Security, it would be difficult for us to manage and prioritize alerts. There's a potential to lose track of important notifications, and it's essential to our security that we do not miss anything. Splunk has improved our investigations because the reporting and dashboarding make things so much easier.  We can provide weekly or monthly reports. I also like Splunk's ability to integrate. 

We can fine-tune our alerts to reduce false positives or low-priority alerts. It reduces the time our admins spend on responding to alerts by one or two hours weekly. We can alter the policies, do geoblocking, and add certain applications and IPs to our allowed list. 

Splunk covers our cloud and on-prem environments. We were exclusively on-prem, but we are slowly moving into the cloud. Our developers can customize investigations by adding multiple interesting fields and aggregate those details in Enterprise Security by using the appropriate SQL queries.

We use Splunk's threat intelligence management feature, which provides insight into how business decisions can make an organization vulnerable to cyber attacks. All of these things fall under tactical threat intelligence. For example, it can tell us if someone is accessing our organization's API. 

We have integrated all our tools so that we can monitor any alert type, but we use Splunk primarily for investigations. We're ingesting audit, security, application, and Windows logs. Once we get an alert, we go to the tool and investigate further

Splunk uses the MITRE ATT&CK framework, giving us new tactics and techniques based on issues observed in other businesses and industries and helping us to address novel threats to our network. MITRE ATT&CK is highly useful. 

It's a little difficult to archive data in Splunk for longer than six to eight months. Integration is more challenging compared to other tools we've used, such as LogRhythm. 

Integrating tools and creating use cases could be easier. It's hard for a junior security engineer with only a couple of years of experience to write use cases. They can do it, but it's much easier in a solution like IBM QRadar. Setting conditions is like a multiple-choice type of thing. It's a more user-friendly process. 

We have used Splunk Enterprise Security for nearly a year. 

I rate Enterprise Security nine out of 10 for stability. Splunk is solidly stable. We've rarely experienced a crash requiring us to rebuild cases. 

Our organization has around 1,000-1,500 groups, and Splunk works fine for us. 

I rate Splunk support nine out of 10. Their support team is excellent. We schedule calls with them when we have issues. They typically rectify any problems in eight to 12 hours. At most, it will take a week to fix an issue. 

I have worked with LogRhythm, and I think Splunk's interface is much better. It's more attractive and has a more interesting feel, so I think it makes things easy for our analysts.

I rate Splunk Enterprise Security eight out of 10. Splunk is useful for compiling all types of logs for investigation and monitoring purposes. I can recommend Splunk for people if they are comfortable with the deployment and integration. While integration is easier with solutions like QRadar or LogRhythm, Splunk is better for everything else. 

Being in an air-gapped environment, we pretty much look for insider threats and other notables related to improper configurations and against security best practices.

We are 100% on-prem and in an air-gapped environment, so there is no Internet connection.

There have been some improvements, especially related to centering. We added user behavioral analytics, so it imports everything. Any threat generated inside of that goes into Enterprise Security. I wish anomalies would go in there, but I can understand why they don't, as it generates so many anomalies. However, it would be nice if I could select certain anomalies that would be helpful with notables. This way, I can track down security events before they become threats.

I believe Splunk Enterprise Security has reduced our mean time to resolve, but we do not have any definitive timing metrics.

Splunk has helped improve our organization’s business resilience because it is a central location where correlation searches populate. We can easily track down and figure out where issues lie, which minimizes the time of my SOC team. It probably saves them a couple of hours considering it is colocating everything in one location. It would be nice if there were better ways to search for the data. We can take a look at the raw logs, but we should be able to find the actual event that caused the problem and see all the logs associated with it in a standard log format as opposed to just a text file with all the events added in.

We are a small environment, so we do not get a lot of alerts. We work on the issues as we get them and I am sure it saves a couple of hours.

In terms of its ability to predict, identify, and solve problems in real-time, it works really well when you are connected to the Internet. The predictive analysis is more cloud-based. Trying to find ways to do it on-prem in an air-gapped environment with no Internet connection can be a pain. There are some ways to do risk-based analysis, but we are still hamstrung because we do not have the Internet connection and the larger data sets that they have.

Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security. Internal ticketing is helpful because we can bring in all the data and have it all available. That way, we can go back and take a look at it if we find another situation. We do not have to utilize other ticketing systems for cybersecurity.

Its interface and usability can always be improved. We are running on the last version, so I have not checked out how the newest one looks. Currently, we have to track down and remember where things are located. We have new guys on the team, and sometimes they have to click around and figure out where things are.

We have been using Splunk Enterprise Security for about five years.

The solution is not going anywhere. As long as they continue to support and develop it, and not make it a cloud solution, we will continue to purchase it.

We have a total of 500 devices, and we ingest around 150 gigs a day.

The scalability is pretty easy. They recently enabled it to be able to go into a search head cluster. Previously, the only way to install this was on its own dedicated search and it could not be connected to a cluster. Over the last four or five years, they have been pushing harder and harder for clustering everything up for shared resources. Enterprise Security is one of the few apps where you were not allowed to do that. Having scalability with the search head cluster is nice, and it is one thing I am looking at implementing in the future.

Splunk's support is pretty good. I contacted Splunk's support a couple of times. In total, they are helpful, and we are able to get the support where we need it, but unfortunately, it is self-inflicted because we are air-gapped. It takes me anywhere between 45 minutes to an hour and a half to get the logs required. I need to get them sanitized, approved, and transferred over so that I can get them to Splunk. I would rate them a nine out of ten because a couple of times, I found the answer before they did.

They have the best documentation in all of the tech sector, and it is not behind a paywall where you cannot find information. There is certain information in Splunk Knowledge Base under the support page that I believe should be searchable through Google.

Positive

The return on investment is very good because, with ELA, we purchased the products at a reasonable price. We did not have to pay significantly more for licensing than we could possibly use. We were able to combine and get it at a much lower cost point.

In terms of the time to value, it took us a couple of months to get used to the interface and get people trained. Unfortunately, we had some turnover during that time, so we had to constantly retrain or train new people. The newer versions of Enterprise Security that came along made things a little bit easier. Luckily, we had some free training provided to us because we have an enterprise license agreement.

Luckily, we come under a large federal agency, and before the pandemic, they signed a large enterprise license agreement. It worked out great and to our advantage because we are a small organization. We got a 300 gig license, and we just did not have the buying power to be able to get products cheaply. Because we all partnered together under the agency umbrella, we were able to get Splunk Enterprise Security, UBA, and ITSI for cheap. This was good considering the fact that some of these premium apps require a minimum number of users, and we do not have the number of people needed to even justify buying it.

I would rate Splunk Enterprise Security a seven out of ten. There is definitely some room for improvement. I have not installed the newer version. Once I get into it, I will see what new capabilities there are, but there is a decent lift that is needed for the setup. Professional services help with that, but the customer generally does not like paying for that more than once.

Because of the ELA, I am able to come to Splunk conferences for free instead of having to pay my own dime. That helps tremendously, especially considering the fact that education is included. I believe that is because of the enterprise license agreement with the government contract. That helps out a lot. I have been coming to conferences since 2017. There are a lot of good people and a great community. 

Our primary use case is SOC operations. However, we do have a lot of people sprinkled around that deal specifically with data analytics.

Splunk Enterprise Security definitely improved our organization. It has helped out with handling our SOC operations across the enterprise. It has increased observability exponentially as we build out the solution to support enterprise operations, and we definitely hope to see it evolve in the near future as well.

We manage multiple clouds. The Spunk solution for the cloud environment is a great asset for us, especially because we are able to get full observability of our cloud platforms in a consolidated environment. In terms of integrations, Splunk has so many integrations with our different cloud service providers, which allows us to easily get that data down to our operators.

We run a global operation, so we have to have observability across the board. Splunk allows our operators to quickly gain insights into the global operation so that they can handle the day-to-day activities that they do, which includes the security analysts' work, data analysts' work, or anything along the lines of handling troubleshooting.

It has reduced our operation time, and it has cut time by more than half. 

It has improved our organization’s business resilience. It has helped with disaster recovery and continued operations in the event of disaster recovery.

It has been an extremely good asset to support day-to-day activities for operations. It is something that was required and needed for over a decade now. It is definitely a nice change of pace, and it also improves the quality of service that our operators can provide to our customers and clientele.

It has cut our costs when it comes to running security operations. I do not have the exact numbers, but it has been a significant cut, especially because we have better access to data engineering and data scientists' tool sets to cut the data cost.

The consolidated overview of all the events that come in through our environment and an easy-to-access interface for all our end users are valuable. As we get more people onboard, it is important that they are able to easily jump onto the platform and understand what they need to see in our environment. Having that quick operational capability allows us to get our observability up to speed as fast as possible.

I love the solution, but I would like to see more accessibility to the machine-learning capabilities that are sprinkled around Splunk.

We have been using Splunk Enterprise Security for about a good five years.

It is probably one of the most resilient tools in our environment, so I really enjoy what it provides us. It definitely provides us that 24/7 accessibility to our environment.

The scalability is exactly what we needed to make sure that we have observability at the global scale. For global operations, Splunk has great scaling features to make sure that it is able to handle the large volume of data that we handle.

Splunk's support is great and amazing. The people we work with in our corporate environment are top-tier experts. They understand our environment very well, especially because they have worked in our environment before, so Splunk has done a great job in getting that type of talent to support their customers. I would rate them a ten out of ten.

Positive

I was not involved in its deployment. I adopted it after I took this role.

We have seen a significant return on investment when it comes to Splunk, especially because of how it has allowed our operators to quickly respond to events on a day-to-day basis. It has allowed global observability.

There has definitely been a time to value. It comes down to having operators have access to such a unified platform.

From what I have seen so far, Splunk has multiple cost models. The one that we are using is pretty good when it comes to ingesting data into the environment. It has worked out pretty well.

We have evaluated other solutions, and Splunk definitely comes out as one of the top competitors due to its interoperability with a lot of data sources that are sprinkled around in our environment. This interoperability is a key piece because we have such a diverse asset environment.

Overall, I would rate Splunk Enterprise Security a ten out of ten.

The biggest value I get from Splunk conferences is being able to interact with my peers throughout our organization. I get an idea of what they are doing to make sure that we are on the same page and that we are able to cohesively build our security operations.

We implement Splunk Enterprise Security for our clients. It's a security tool that centralizes data in one location, so we can gain some insights from it. We can also use it to create alerts. For example, let's say we want to find an incident in real-time, but we can't sit in a single place and stare at the screen. We can create alerts that send us an email notification or automate a response. 

Splunk helped us reduce our alert volume because we could optimize our risk-based user analytics. I estimate that we decreased alerts by around 20 percent. Splunk Enterprise Security speeds up security investigations.  

Splunk's strongest suit is its user interface. We can integrate multiple solutions and adjust settings in the Splunk interface. It's easy to manage multi-cloud environments because we can use rules to segregate the data and restrict our clients from seeing each other's data. Splunk has a lot of plugins and add-ons that provide a lot of information about our cloud and on-prem environments.

Splunk's MITRE ATT&CK framework is excellent, but I haven't used it for investigation. I'm primarily involved in implementation and development. Splunk Enterprise Security is solid detection-wise and faster than many other SIEM solutions. 

We already have an antivirus solution in our environment, so Splunk detects viruses based on that. Once the antivirus detects something, it generates an incident in Splunk that we can investigate. The detection time depends on a few factors, but we can detect a threat in two to five minutes under ideal conditions. 

Splunk could improve its default machine-learning models. Also, Splunk Enterprise's native threat intelligence isn't that good. I prefer a custom threat intelligence model. 

We have used Splunk Enterprise Security for more than three years.

Splunk Enterprise Security has gone through multiple versions, so the product is mature and stable. It's currently on version 9. 

We can scale Splunk Enterprise Security horizontally or vertically. It isn't a problem. 

I rate Splunk support 10 out of 10. Splunk has better support than other vendors I've worked with. It's better than IBM support. 

Positive

We previously partnered with IBM and used QRadar as our SIEM. Splunk is faster, and I like the look and feel better. If you are looking for the cheapest solution, some free open-source SIEM solutions exist. They can do many of the same things that Splunk can do but maybe not at the same scale. 

One person can deploy Splunk Enterprise Security in 15 to 20 days, depending on the architecture. It takes less time to deploy on the cloud. The solution requires some maintenance. We need someone there to monitor it in case there are issues. Three people are responsible for maintaining Splunk. 

Splunk costs a little more than other SIEM solutions. It would be nice if they could bring the price down a little. 

I rate Splunk Enterprise Security nine out of 10.

My main use case for Splunk Enterprise Security is centered around threat detection and incident response. I’ve configured correlation rules and alerts within the SIEM to proactively detect suspicious activities. The environment includes multiple servers and security devices from which I collect log data using forwarders. These logs are ingested into Splunk, parsed, and analyzed to identify anomalies, security issues, and performance concerns. This setup helps streamline investigations and reduce response time to potential threats.

Splunk Enterprise Security has significantly improved our organization by centralizing log management, enhancing visibility into security events, and enabling faster detection and response to threats. The customizable dashboards, real-time alerts, and powerful correlation capabilities have streamlined our incident response process and reduced investigation time. It has also helped us meet compliance requirements more efficiently by automating reporting and audit trails.

Splunk Enterprise Security’s most valuable features include its powerful log aggregation from diverse platforms, flexible search and correlation capabilities, and customizable alerting system. It allows me to collect logs from virtually any source—servers, firewalls, cloud services—and create custom rules to generate meaningful alerts. The flexibility of Splunk’s Search Processing Language (SPL) makes it easy to build tailored dashboards, identify threats, and quickly pinpoint the root cause of issues, significantly improving operational efficiency and threat detection accuracy.

While Splunk Enterprise Security works well overall, improvements could be made in user management—particularly around simplifying role-based access controls and troubleshooting user account issues. Additionally, future releases could benefit from:

Improved UI/UX: A more intuitive interface for new users and simplified dashboard customization.

Built-in Use Case Library: More out-of-the-box security use cases and alert templates to reduce setup time.

Cost Optimization Tools: Better native tools to monitor and manage licensing usage and storage costs.

Enhanced Cloud Integration: Streamlined and more secure integration with major cloud providers for hybrid environments.

These enhancements would make the platform even more user-friendly and efficient.

I have been working with Splunk Enterprise Security for about two years.

I previously used Dynatrace and open-source tools like SigNoz. While Dynatrace excels in application performance monitoring, it requires an additional license fee for server-side log collection, making it less ideal for centralized log management and SIEM use cases. SigNoz, being open-source, offers basic log management but lacks the depth, scalability, and advanced threat detection features of Splunk Enterprise Security. I switched to Splunk Enterprise Security because it provides a comprehensive, all-in-one solution for security monitoring, log aggregation, and real-time alerting, which better fits enterprise-level security needs.

The initial setup of Splunk Enterprise Security was straightforward. I followed publicly available documentation, which was clear and easy to understand. The installation and configuration process went smoothly without any major issues. From initial setup to full deployment—including log collection, rule configuration, and dashboard setup—everything was completed in about two days, demonstrating how well-documented and accessible the deployment process is for users with a solid technical background.

I would rate Splunk Enterprise Security an eight out of ten.

We use Splunk to monitor unusual user behaviors. For example, if any user onboards from a different domain, it will trigger an alert. We also get alerts and high traffic when the ADI server is down. Splunk will monitor that behavior or when users make repeated wrong login attempts.

My full-time job is managing the IAM product. Splunk is one of our security monitoring tools. Most of my work is on IAM tools like CyberArk and SailPoint, etc. 

Splunk manages all of our security and maintains a hundred percent availability. It improves business while securing the entire cloud environment. In terms of business, we don't need manual monitoring. It automatically monitors and notifies an administrator, so we can easily track and identify the particular issue. It saves our employees' time, and we can manage the environment without any impact on business service.

In the UK, hackers use automated software to make repeated login attempts. Splunk immediately identified these attempts and notified the admins, so the red team suddenly took action to block them.

It's nonstop monitoring that isn't affected by business hours. You don't need a manual administrator. Splunk will monitor everything, and a single administrator can monitor the alerts. Splunk will notify us if any unusual behavior happens, allowing us to take immediate action. There's no need for any further investigation and log analysis. It provides the exact result, what happened, and where it happened. 

Splunk helps us reduce alert volume. Whenever the same type of attack occurs repeatedly, we can change the environment and improve the security so the attack won't repeat. 

It speeds up our investigations through automation. Investigating manually takes a long time, and we sometimes cannot identify the exact issue. Splunk monitors the data and events, so we configured a range. If it triggers that area, it will provide the exact result. We can immediately identify and fix it. There's no need to investigate. It reduces the mean time to resolve by 80 percent. 

Splunk is user-friendly. We can easily customize the monitoring script. We support a multi-cloud environment covering Windows Server, AWS, and Google Cloud. We also use ForgeRock to monitor Linux machines. It sends us alerts when the disk size gets full. When an employee logs in from a different region, it triggers an alert. 

Splunk isn't appropriate for smaller companies. It's too expensive.

I have used Splunk for two years.

Splunk is a highly stable product. 

I rate Splunk nine out of 10. When we have any questions, we raise a ticket and they respond in two or three hours. 

Positive

Splunk provides the tenant, and we can directly integrate it into the cloud URL. For the hosting, we can deploy it to the EC2 instance. Splunk is integrated with Cypress, CyberArk, and Fastdesk. Splunk also supports SAML integration. Splunk is a SAML application, so we can use SAML protocol to enable it. 

I rate Splunk Enterprise Security nine out of 10. 

Our primary use cases are for detection and remediation.

The benefits we've seen from Splunk is that we can promote it to our customers. The second benefit is that it works. It does what it's purported to do, and the support is more than adequate. 

The most valuable feature is that it brings all of the components necessary to identify, analyze, and respond together.

It's pretty important that Splunk provides end-to-end visibility into your environment. As in any product that one purchases to fulfill a function, we want to recognize where it came in, who it affected, and what the challenges are that need to be met in order to resolve something, both immediately and also to make sure that it doesn't replicate in the future. Splunk does a good job of being able to do the former half. Dealing with issues requires tier-three support and above and it takes time. You can work through it with the help of your vendor team.

I would rate them an eight out of ten. It's not so much the problem of the application itself, although there are always improvements that can be done. There are a lot of moving parts that need to be added in and if you don't have the information that you need, especially within identity and inventory, then that can be an added challenge when you have to start making imprints based on what you do know.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There are a number of different standards that can be presented, which is beneficial. Some customers like to have the information that they receive in one format. The driving factor is that when you work with federal customers, some of them want it in one format. The response will be in one format as opposed to another. 

Splunk has helped to improve my company's business resilience. It's an active component in ensuring that we are vigilant against intrusion and detecting it.

Splunk is such a large product. Allowing it to be more easily used by people who have not had a lot of training on it would be an improvement. That's something that they're accomplishing with their current version, although I haven't had an opportunity to learn much about it. With AI capabilities coming on board, a lot of that will alleviate the minutiae that people need to know in order to resolve problems as they come up.

Splunk's ability to predict, identify, and solve problems in real-time is a work in progress.

I have been using Splunk Enterprise Security for the past four years.

Aside from the fact that it can be a resource hog, I'm satisfied with the stability. I don't have too many problems except for a few occasions when we have a threat intelligence file blow up a drive because there's not enough room. It might be because a complete configuration has not been implemented. 

I like the fact that it can be tweaked, but a lot of the various configurations for how long data is held or how long particular components of investigation are held. 

I encourage users to use the vendor management team and cultivate a relationship with them. I have worked with companies who had support that I would rate 11 out of 10. I would rate Splunk an eight out of ten because as any large growing company, they have challenges with keeping the talent necessary, who are not only educated to evaluate a problem and pass it on or solve it themselves.

Positive

The largest challenge with the setup is that it has so many different components. The environment that we're in is a multi-tenant. Enterprise Security with all of its components is huge. If you're using something like a deployment server you can't break it up. It makes it rather unwieldy. I'm sure that there are workarounds that have not been implemented in-house.

Splunk provides more than the people who pay for it realize. I had a few exercises in presenting ROI and benefit-cost analysis and I have been able to demonstrate where it has performed superior to other options.

I was deeply distressed when they went away from their perpetual license.

We evaluated Splunk's typical competitors. We went with Splunk because Splunk has the underlying capability of not only ingesting anything and storing it using their bloom filters and whatnot in order so that you can do sparse and large searches relatively quickly. It also has a wonderful presentation layer, which can basically plug into many other systems. I find Splunk to be a veritable Swiss Grey knife of capabilities.

I would rate Splunk Enterprise Security an eight out of ten because there's always room for improvement and because it can be difficult to learn.

The primary use case is computer network defense.

It is very important that Splunk ES provides end-to-end visibility in our environment. Part of the solution is bringing the user closer to the resolution.

The integration with other risk-based solutions, such as the risk matrix applications included with Splunk, is helpful. It helps us identify the risks without having to delve into other resources.

Splunk helped improve our company's ability to ingest and normalize data. That's the primary use of Splunk Enterprise or Core. For ingestion, we've been using Splunk Enterprise for about six or seven years before we had ES. So, that was the primary reason we got it.

In terms of the risk-based part, Splunk improved our ability to ingest and normalize data. Initially, we used Splunk Enterprise Core for aggregation and correlation. We didn't have the risk-based reporting.

I'm very impressed with Splunk's ability to identify and solve problems in real time. And I look forward to the new version improving the product.

We've been able to discover things we didn't see before. So, there's more that we discover now.

Splunk ES provides us with the relevant context to help guide our investigation. It goes back to the time to resolution. We have to do much less investigation because it's already built-in alerting. 

Risk-based reporting and anomaly detection are valuable features.

The biggest advantage is the reduced time to resolution. Before, it took us up to days to resolve issues, and with Splunk, we've been able to move that down to hours or even minutes in some cases.

I was just at the conference, and they spoke about and demoed a new version of Splunk. It looked like some pain points are resolved in the new solution, such as not having to go to so many different panels. Like to streamline or improve the UI. 

In terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

We purchased ES four years ago.

If properly built, I'm very impressed with the stability of Splunk ES. We initially stood it up on a single server, and to make it more robust, we had to break out of that single server concept to make it more resilient. 

The scalability is very good. That comes from our experience of having to scale out, and Splunk's documentation on scaling up is very good.

Every time we've used Splunk support, it's been very good. We don't have any in-house Splunk engineers, but headquarters has some they can send to assist us, so I can call on them. It's a very good support chain.

If there is some room for improvement, it is in terms of training. I find that some things about Splunk aren't well-explained. I see features and then go to the website but don't find good explanations. However, I can always call support and get help.

Positive

My company is very impressed with Splunk. We've used several SIEMs before, and Splunk has been the most efficient one.

There was one called Intelotactic, and another was called Secureworks. I believe both of those are gone now.

Initially, with Splunk, we had a steep learning curve. It went from a fairly low ingestion point to figuring out how much data we needed to get to a certain level. Even when we got to a level we were happy with; we found that we were ingesting a lot of noise in the data. We had to figure out ways to reduce that noise.

We bought the maintenance along with Splunk ES and used Splunk engineers to assist us in the setup. It was a very good process. It worked out very well for us.

The knowledge of the individual sent to us was impressive.

Deployment model: Ours is all on-prem currently, but we are headed towards a cloud solution.

I would rate it a nine out of ten. 

Our primary use case is to find brute-force attempts on our systems. 

We use it for security purposes, to find malicious activity, and to find misusage of our business platform.

The main benefits we have from Splunk Enterprise Security are the alerts with which we can manage the searches and the notables which can be good for documentation.

Identity management is the most valuable feature. 

Its ability to find any security event across any environment is useful if you use the risk parameter. If it can correlate with an identity or an asset, then correlations between such events are up to the analyst. 

Splunk Enterprise Security helped improve our organization’s ability to ingest and normalize data.

Splunk helped to reduce our alert volume by 53%. We work based on an on-call process. The analyst who is on call can use Enterprise Security to see what alerts they have and work from there.

If you load it correctly, Splunk will provide us with the relevant context to help guide our investigations. It made it easier. 

Splunk Enterprise Security helped improve our organization's business resilience.

In terms of its ability to create, identify, and solve problems in real-time, if the problem arises, we can go and look at Splunk, but if it's happening in real time and no one reports the issue, then it doesn't work in real time. 

It helps consolidate networking, security, and IT observability tools but it doesn't have such a big impact on our company. 

It should work better out of the box and have better use cases that would not require my intervention. For example, if I install an antivirus and endpoint protection on my computer, I don't need to do much. But to get any value from Splunk, I need to work hard on it. 

In the next release, they should include machine learning-based rules that would streamline the process of finding anomalies.

For real-time detection, I would not say that Splunk is the best. If you experience a problem and go to Splunk to look at the dashboard, then it's in real-time. Because of the way Splunk works, I wouldn't get an alert in real-time. 

I have been using Splunk Enterprise Security for five years. 

On newer servers, it can be stable. On our servers, it can take a while. We need to re-enter when we press selections. 

It is scalable. You can add more servers and analysts. 

Support depends on the issue. Sometimes they help but most of the time, I have to solve the issue on my own. 

I would rate support a six out of ten. Usually, it can take time until I get to someone who can help. The diagnostics aren't always accurate. I once had an issue where they replaced a certificate that we weren't using, so it didn't solve the problem. It can take a few iterations to solve the problem.

Neutral

The deployment is fine for me, but it is not really straightforward. I would suggest simplifying the process. For example, the whole certificate part is not secured by default. I would recommend fixing that.

We used EMET Computing for the integration. They are fine. 

We do see ROI. We can deduce the ROI from finding the damage that misusing our business platform is causing. 

I think that the price can be too high sometimes, especially for the cloud. We get a lot of logs that are meaningless. For example, if we are using a firewall, we get a message for every session or packet. A lot of those connections are the same. We pay a lot of money on the license and on logs that are the same. If there was a way to aggregate them, the cost of the license would be reduced.

I would rate Splunk Enterprise Security a six out of ten. It is useful but it doesn't add that much value on top of standard Splunk. Because of our use cases and environment, we don't use all of the features it has. Nevertheless, the value it provides isn't so different from Splunk Core.

We use it for alerting. It also helps our analysts triage.

It is our bread and butter and our day-to-day tool for the SOC. Besides alerting, just being able to do research and look through various logs to gather context around the alerts has been super valuable.

It is critical to us that Splunk Enterprise Security provides end-to-end visibility. The place that you cannot see is from where you are going to get attacked.

We have a hybrid cloud environment with AWS and Azure. I am pretty confident in its ability to help us find any security event across our environment. We have put in time to feed Splunk Enterprise Security the data that we want to look at.

I am pretty happy with its ability to ingest data. When it comes to normalizing, my company could improve on that a little because we need to do more tuning of some of the data that we are ingesting. That is not much of an issue with Splunk Enterprise Security. That is more of an issue with how we are using it. We need to possibly do a little bit better in terms of how we utilize this tool.

I am pretty confident in its ability to identify and solve problems in real-time. If it has the data and you implement it properly, it will tell you what is wrong.

With risk-based alerting, we are now getting the right context for investigations. It definitely helps and speeds up the investigation. With risk-based alerting, I can see the chain of events. I can see what caused this to occur. I do not have a percentage, but I know my analysts are not getting the alerts that they have not completed by the end of the shift. Previously, that was not the case, so I am pretty pleased.

Splunk Enterprise Security has helped improve our organization’s business resilience.

Splunk Enterprise Security helps to identify and solve problems in real-time, but I do not know if it can also predict the problems in real-time.

I am enjoying our implementation of risk-based alerting. That has helped very much with cutting out a lot of the noise that we have. It has reduced our alert volume significantly. There is about an 80% reduction.

I do not like the pricing model. It is expensive.

I have been using Splunk Enterprise Security for about five years.

I have not had issues with its stability.

It is pretty scalable. It also depends on what you are ingesting, but it does a good job with our data.

I do not use the support that often. Normally, when I am looking for help, I just search on the web. If I am trying to build something and I do not remember the command, it is pretty easy to find.

I have used logging solutions. I find Splunk easier to use than other solutions such as LogStack.

With any such tool, the alert quality that you will get is based on the data that you are feeding it. If you are parsing logs and doing a good job with that, the outcome is good.

I did not deploy this instance, but I deployed it in my last company. It was not as bad as I thought. It was comparable to some of the other product rollouts in the environment.

It is expensive, but it is a good tool.

It is worth the cost. I have worked with organizations that did not want to invest in a security tool. I am glad that we are taking security a little more seriously in this organization.

I would rate Splunk Enterprise Security a ten out of ten. I enjoy it. I like it.