Splunk Enterprise Security Reviews

Splunk Enterprise Security serves as our primary tool for endpoint detection.

Our organization manages security across multiple cloud environments. Splunk Enterprise Security is a valuable tool in this process, offering a comprehensive dashboard that centralizes monitoring for all our cloud deployments. This unified view allows us to efficiently track security posture and identify potential threats from a single location.

Splunk Enterprise Security offers strong capabilities for detecting insider threats. This security platform excels at analyzing data from a variety of sources, allowing it to identify unusual user behavior patterns.

It does a good job of analyzing malicious activity and helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume and helps speed up our security investigations.

In our financial institution client environment,  The insider threat detection capabilities allow us to closely monitor credit and debit card transactions for any signs of compromise. By leveraging Splunk's capabilities, we can proactively identify and address potential security threats that might impact our client's financial data.

We have improved our incident response time with Splunk.

Splunk Enterprise offers a variety of apps that cater to different needs. These apps provide features like directory management, add-on and data model control, report dashboards, and alerts. Notably, some of these functionalities are available in the free version. Additionally, there are separate apps for security purposes. Our EMEA region has its own set of apps, allowing them to upgrade, maintain, and manage separate dashboards specific to their requirements.

Dashboards can be customized to allow users to easily monitor specific data relevant to their needs. This might include data segmented by country, region, or even customer credit card information. By customizing the view, users can quickly identify trends and gain insights into areas of particular interest. Additionally, dashboards can be configured to automatically display default information or alerts upon opening, further streamlining the monitoring process and ensuring users can find the specific data they need right away.

Splunk Enterprise Security is a valuable tool that allows us to monitor data from the APS daily. This monitoring focuses on the success or failure of APS calls. Successful calls are identified by a status code of 200, while unsuccessful calls are indicated by a status code of 400 or any other code. By monitoring these codes, we can proactively identify situations where the intended data retrieval fails due to backend server issues. This distinction is important because it helps us differentiate between failures caused by backend server problems and those resulting from issues with the monitoring team's ability to send requests. This clear separation allows a dedicated team to investigate these specific backend server failures and implement resolutions.

Data profiling, data onboarding, and data maintenance are all crucial steps in ensuring the quality and usability of our information. However, encountering missing files disrupts this process. When files are absent, troubleshooting becomes difficult, and performance issues inevitably arise.

I have been using Splunk Enterprise Security for many years.

Splunk Enterprise Security is stable.

The initial deployment is straightforward.

I would rate Splunk Enterprise Security eight out of ten.

Splunk Enterprise Security is a powerful security solution that offers flexibility. This flexibility empowers our team to adapt and respond to evolving threats. With Splunk Enterprise Security, we have the tools and adaptability to effectively address whatever security challenges we encounter.

I recommend Splunk Enterprise Security as the most suitable solution for monitoring and protecting our data.

We use Splunk Enterprise Security to monitor the network. We use the solution wherever there's a problem with the cell phone tower.

When we see a problem, Splunk Enterprise Security provides many details you can use to diagnose and determine what needs fixing.

The solution's most valuable feature is the dashboard, which allows us to see everything on the same page and provides easy visibility into problems.

Splunk Enterprise Security has helped us find security events in our on-premises environment.

It has helped improve our organization's ability to ingest and normalize data. Splunk does a good job of identifying and solving problems in real-time.

We have reduce our alert volume by 80%.

The solution provides relevant context to help guide our investigations. Splunk provides pretty detailed information. Based on that information, we can assign it to different teams.

It has helped speed up our security investigations by 40%.

Splunk Enterprise Security has helped reduce our mean time to resolve. In most cases, we're able to solve issues in less than 45 minutes.

Sometimes, the data does not match what we're looking for, or the tool contains incorrect data.

I have been using the solution for two months.

Splunk Enterprise Security is a very stable solution.

The solution provides good scalability.

The technical support team responds quickly every time we contact them.

We have seen a return on investment with the solution because it has reduced the time it takes to fix our problems.

Overall, I rate the solution a nine out of ten.

We use Splunk Enterprise Security to enhance our overall security posture by proactively managing our threat profile across the enterprise. This enables us to see valuable insights and effectively monitor all OEM devices.

It is easy to monitor multiple cloud environments using Splunk Enterprise Security. This helps with DLP and security across our SAM solutions.

Although I favor the cloud's convenience for credential management, Splunk Enterprise Security's visibility remains consistent across multiple environments.

Splunk's insider threat detection reveals daily threat events and highlights anomalous behavior on the dashboard.

The threat intelligence management feature continuously monitors activities across cloud, on-premises, and hybrid environments, and informs stakeholders of any suspicious activity.

Splunk Enterprise Security has endpoint security protection to analyze malicious activities and detect breaches through the analysis of new log content.

Splunk Enterprise Security helps us detect threats two to three hours faster.

Splunk Enterprise Security has helped improve our incident review times, security posture, network protection, and endpoint protection. We saw the benefits within the first month of use.

A decrease in false positives has enhanced our risk analysis, security posture, and the speed of our alert investigations, resulting in daily time savings of four hours. 

Splunk Enterprise Security has saved us two hours per day of investigation time.

The ability to manage large amounts of generated data and to protect all devices from unauthorized use are the most valuable features.

The threat detection library needs to increase the frequency at which the playbooks are updated. 

I have been using Splunk Enterprise Security for two years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The technical support is good.

Positive

The initial deployment was straightforward. We wanted to cover all of our endpoints. Two people were required for the deployment.

The implementation was completed in-house.

I would rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security is a leader in the market and provides great visibility into an organization's security posture.

We have 100 people that are using Splunk Enterprise Security.

The continuous visibility and SOC requirements of the resilience Splunk offers are a benefit to any SIEM. Resilience is important for organizations that run a hybrid environment.

I utilize Splunk Enterprise Security to create alerts within various use cases, including data onboarding, gap analysis, and business testing. I ensure that the use cases adhere to the defined criteria and address any changes or requirements raised by the client. Additionally, I handle any necessary backend modifications in Splunk by deploying code to appropriate environments, including the production environment.

We implemented Splunk Enterprise Security to capture more effective alerts. We create alerts to utilize advanced filtering capabilities. Additionally, we employ Sentinel as our endpoint security application. I have created all instances of the query as intended and have mapped them to Splunk. However, the corresponding alert is not being generated. These are the areas that require attention.

My expertise lies in Splunk Cloud and Azure. While I have worked with AWS in the past for a short period, my current focus is on GCP and Splunk Cloud. My responsibilities involve troubleshooting, alert verification, and key generation. Based on specific requirements, I employ my self-generated queries to identify the relevant fields, such as email or location. Next, I implement lookup conditions and pinpoint the table containing the desired field type. This process allows me to determine the specific requirement of the use case and define the search parameters accordingly. Finally, I conduct a time-bound search to identify any defects.

I deploy to Splunk Cloud, GCP, and on-premises environments. I have experience working with both platforms. When working on the cloud, we don't have the same level of visibility as we do on-premises. For example, we cannot directly access the fraud department systems. In the cloud, we must make all changes and deployments through the Splunk UI. This is relatively straightforward, as there is no backend to manage. However, it requires a thorough understanding of the configuration files and the data fields we need to modify.

We manage multiple cloud environments, including Splunk Cloud and GCP. Splunk Enterprise Security dashboards make it easy to monitor these environments seamlessly. We have a single user interface that allows us to log in to our account instantly and check for any issues, such as Data Collection Processor errors. This unified UI also provides access to the back end of both Splunk Cloud and GCP instances, eliminating the need to switch between different platforms. Whether we need to manage Splunk Cloud or GCP settings, we can do so directly from the UI, which is easy.

Splunk offers comprehensive visibility into our IT infrastructure. The only challenge lies in managing multiple user accounts. We need to create separate accounts for the UI, production environment, and staging environment. Additionally, if we have a DCP or a system cloud, we need to create corresponding accounts. Once that is done we can log in and use it.

Regarding Splunk Enterprise Security's insider threat detection capabilities, we receive an alert for every new case creation. If there is a high likelihood of a specific alert occurring, we have a corresponding use case in place to address it. We also receive soft tickets, which are potential alerts that may materialize in the future. These soft tickets are documented in Jira, and we continuously monitor them. By analyzing these alerts, we can identify potential issues. For instance, this morning, we received an alert for a new case with a missing application name. The interaction table contains the destination user account, process ID, process name, OS, and other relevant information, but the application name field is blank. We investigate this particular use case to determine the cause and timing of the alert. Since we are receiving the alert slightly earlier than expected, we consult the ticket for further details and substitute any missing information.

I have utilized the MITRE ATT&CK framework when the use case pertains to a specific data model. To comprehend the data model, we examine the processes involved or the fields that a particular tool utilizes. To achieve this understanding, we align the MITRE ATT&CK framework with the data modules. Subsequently, we extract the field name and field value. When dealing with ranges and incident changes, we must input the corresponding MITRE ATT&CK ID. This involves determining the tech ID and identifying the ID values associated with it.

Using Splunk Enterprise Security to analyze malicious activities and detect breaches is an efficient approach. When testing a use case, it's not necessary to manually enter the application name as it's provided automatically. Since the requirement is for SSO, we need to verify whether it's LDAP, Splunk Cloud, or AWS. Occasionally, irrelevant results may appear during data ingestion. We test for subscription-related issues and analyze the results. This testing process provides insights into the circumstances that trigger specific alerts. Malicious activities will undoubtedly be detected, and all our requirements will be met. Alerts are generated whenever unusual timeframes or activities occur. Various filtering criteria allow us to identify and capture specific user IDs or patterns within events. This capability proves to be highly beneficial.

The speed at which Splunk Enterprise Security detects threats could always be faster but it is designed to detect threats quickly. It uses various techniques, including queries, to identify and analyze potential threats. This allows it to produce faster search results than traditional methods, enabling us to locate the information we need more efficiently. While I cannot provide an exact percentage of how much faster it is, it is undoubtedly significantly faster. It can process thousands of events, ranging from twenty thousand to thirty thousand, in a very short period.

I've gained valuable knowledge from having to troubleshoot various situations. For instance, I've learned that the SIM needs to be flipped to use the new applications. Additionally, I've discovered that the error limit for event results should be increased beyond 10,000 because the source type values have increased significantly. This ensures that alerts are received even when there are large volumes of data. Furthermore, I've learned that some clients have different index limit requirements. Some clients require a seven-day index limit due to licensing restrictions or data ingestion considerations. Those who have the larger license opt for a 15 or 30-day index limit. In these cases, the large amount of data generated can necessitate a 1TB or higher index size limit. These learning experiences have been invaluable in my work, and I'm constantly encountering new scenarios that expand my knowledge base.

Splunk Enterprise Security has helped speed up our security investigations. 

The best part of Splunk Enterprise Security is its customizable settings. We can modify the front-end interface, data sources, and various other aspects to suit our specific needs. This flexibility makes it extremely user-friendly and convenient.

Apart from its customizable settings, Splunk Enterprise Security also offers a range of other advantages. It enables us to easily analyze logs, use field queries, and perform other tasks without requiring any extensive training. The search function is intuitive and straightforward, making it accessible to anyone.

The UI-based reporting dashboard is another highlight of Splunk Enterprise Security. It provides real-time visibility into important metrics and allows us to drill down into specific events for in-depth analysis.

Splunk Enterprise Security has not helped reduce our alert volume. We need to separate a few of the alerts, and if there is a time based on the priority, we put the time at what time it needs to appear every day or for seven days or more days. If an alert is present or if something is triggering, then it will be detected. However, the number of alerts that can be handled effectively depends on the specific use case. For each result that is affecting the system or for any specific issue, only those particular alerts should be generated. We can define a timer and determine how often checks should be performed. For example, weekly checks may be sufficient in some cases. However, if there are hundreds of alerts generated in a week, it may not be possible to handle them all effectively. Testing must be conducted to filter out unnecessary alerts. Therefore, clear boundaries must be defined in the use case when creating alerts.

The price for Splunk Enterprise Security is high and has room for improvement.

I have been using Splunk Enterprise Security for two years.

Splunk Enterprise Security is an extremely stable product.

Splunk is compatible with a wide range of other products and is not constrained by specific configurations. Whether it's a single-sided or multi-sided cluster, whether it's used by a single team or multiple teams across different program locations, Splunk is flexible and adaptable. Data recovery is also a key feature, ensuring that data is never lost. This is one of Splunk's most significant advantages. Multiple indexes are maintained to safeguard data integrity, so even if one index fails, the data remains accessible to all users at all times.

Splunk Enterprise Security is scalable.

Comparing SentinelOne and Splunk, we've found that SentinelOne requires a thorough understanding of our processes, including their business context, process names, and all relevant conditions. In contrast, Splunk is more forgiving, allowing us time to learn and adapt. Additionally, SentinelOne's pricing structure can be more complex compared to Splunk's straightforward approach.

While Splunk offers ease of use, better visibility, and intuitive management, SentinelOne demands more technical expertise to implement and maintain. Splunk, on the other hand, provides granular control over event filtering, enabling us to retrieve detailed information based on specific criteria, such as Linux or Windows events. SentinelOne, however, may not provide the same level of precision, requiring more precise query formulation.

The initial deployment is straightforward. We only require the name and the value, and the process is very quick. We were already using GitHub, GitLab, and GitPass, so integration with Splunk was seamless. Splunk is compatible with all of these applications, which makes it a good fit for our needs. We are also using ServiceNow, and Splunk communicates seamlessly with it to raise tickets. The overall deployment time is minimal. One person can manage the deployment process, and I have completed 18 deployments myself. Each deployment takes one day to finish.

The cost is on the high end, which makes it difficult for some organizations to use. However, the benefits outweigh the cost.

I would rate Splunk Enterprise Security eight out of ten. While I have not explored all aspects of Splunk, I have found Splunk Enterprise Security to be a useful and reliable tool in the areas I have used. 

Splunk is deployed in one location. On our team that works on the SIM development team, we have 28 people who use Splunk Enterprise Security.

Splunk Enterprise Security necessitates ongoing maintenance. Tuning tickets are available, so we perform the necessary tuning, and if there is an outdated ticket, we make the required changes. I addressed a ticket from 2018 that required tuning. They requested certain additions, such as authentication or a new index, and maintenance is performed to incorporate these new features.

In multi-cluster environments, maintenance can be performed from different locations simultaneously. This feature is very convenient and allows for flexible maintenance scheduling.

I recommend Splunk Enterprise Security because it is a comprehensive solution for enterprise security. I'm currently working on the SIEM component, but the SIM is also available. Splunk offers various ways to search and configure, making it very easy to use, even without prior knowledge. We can seamlessly integrate Splunk into our existing workflows.

The primary use case is for failed login attempts. I typically stick to the security use cases.

The risk-based alerting helped to decrease false positives. We would just get a bunch of email alerts every time a threshold was reached previously and we'd have to investigate them. We'd have to deal with alert fatigue, the standard scenario where no one believes in the alerts anymore. So risk-based alerting has helped us tune out some of the noisier issues and then tune into the alerts, endpoints, and users that are problematic.

The risk-based alerting is excellent. It was most helpful in decreasing the amount of false positives that help bubble up the most problematic users and assets for the analysts, and it's fairly easy to implement.

Splunk Enterprise Security provides end-to-end visibility into our environment. It's a ten out of ten for that capability. Everyone wants to know what's happening across their environment. The more difficult part is defining the visibility, as we can't we can't ingest the entire company into Splunk. So, the harder part is not necessarily gaining visibility. It's rather determining what visibility looks like. Oftentimes, it comes down to determining and prioritizing using the highest value.

Splunk Enterprise Security, when set up properly,  helps us find any security events across multi-cloud, on-premises, or hybrid environments. It helps with investigations and helps us find that needle in a haystack. 

While it doesn't necessarily help with data normalization, some pieces determine whether the data is usable and create that usability outside of enterprise security. It does assist in the process. 

Splunk Enterprise Security provides us with relevant context to help guide our investigations. The context helps with risk-based learning, which is one of the things I rely on fairly heavily. It also helps reduce false positives and increases visibility to the most problematic endpoints and end users.

The Splunk Enterprise Security Hub has reduced our mean time to resolve; however, how much is hard to quantify. The dashboard is color-coded, and it's easy to read for the analysts. I don't often have to explain anything to them. Red is bad, green is good. The dashboards are relatively self-explanatory and it helps reveal the most difficult, problematic parts.

The solution does help with resilience - a bit. What it does is help us discover problems and reactively fix them.

I've definitely seen improvement. However, assets and identity are probably some of the most important integrations for risk-based learning. So if there was a way to make it easier - and, again, I know there's been significant improvement - that is one of the more annoying friction points when setting up risk based alerting.

The Splunk platform is not unified. We have all of these different tools and they feel a bit disjointed.

I've used the solution for maybe six years.

It's a complex tool. Everything needs to be done proactively. That said, it's relatively stable. There's a lot of stability built in, and I don't have any problems with it.

I've worked in on-premises environments as large as 300 terabytes, and they return data very quickly. When it's done right, it can scale tremendously.

The customer service and technical support can be hit or miss. Sometimes you get someone that is really good and knows their stuff and is really helpful. Sometimes you are trying to be patient and help them through. That's hard when you have someone breathing down your neck to get things fixed. They're nice. However, sometimes, when I have pressure on my end, I don't need someone who is nice - I need someone who knows how to fix my issue 

Positive

I'm usually the one performing the setup work. I've been working with Splunk for a long time; it's relatively easy for me.

Enterprise Security is a beast. The best practice is to put it on its own search head. When setting it up, I'm asking for not only an additional light license for Enterprise Security. I have to ask for another server on top of it, too. It is quite a difficult task to ask when Splunk is already as expensive as it is. Then, there is technically setting it up and configuring it. It does take time to configure and normalize all the very foundational parts, such as the assets on identities, which is absolutely integral to getting security working. While I enjoyed the process, it took a lot of work. 

I am a consultant and do assist with the setup.

My work typically has to do with improving the quality of alerts or content and normalizing data. I don't usually get to the point where I'd be able to measure ROI.

I'm not the person that deals with pricing. I have heard there is sticker shock.

I'd give the solution an eight out of ten. There are a lot of great features. They're constantly increasing the value of Enterprise Security. However, they're leaving behind many smaller clients that don't have the knowledge or expertise and don't have professional services, which is another large expense. A lot of smaller clients just don't have the ability to set it up properly, and when that happens, they're only leveraging 30% to 40% of its capabilities. They're upset and wonder why this very expensive tool is not working for them. That said, when it works, it works great. 

We use Splunk for identity protection, threat defense, vulnerability scanning, zero-trust, and user entity behavior and analytics.

Splunk Enterprise Security has helped our customers reduce the alert volume. We ended up validating the false positives manually. We have to do quite a review assessment task. It can do some automatically, but we end up doing them manually to improve the detection. 

Splunk's advanced threat detection capabilities are excellent. Recently, Cisco acquired Splunk, so many customers are migrating to the Microsoft platform, but historically, I've found Splunk does a better job of correlating and collecting the security logs of all kinds of appliances. Most customers want to consolidate their security products into Microsoft.

It supports just about every cloud solution. It is easy to collect and correlate all the data. The visibility is good. Insider threat detection can be customized. My customer was integrated with many third-party credentials and other threat sources as well. The integration part was seamless and easy. The rates for allocating valuable information and IOCs from different sources are also good. 

The incident response technique should be available out of the box. That isn't as available as we would expect. 

I have used Splunk for around two years.

Splunk is stable. We've had no breakdowns in the past few weeks.

We can scale Splunk quickly. 

I rate Splunk support seven out of 10. 

Neutral

Deploying Splunk was moderately difficult compared to Sentinel. Collecting logs, provisioning firewall servers, and indexing are all complex tasks. You need someone with expert knowledge to do the job. The process takes four to six weeks. You need to design the solution and onboard the data, then start collecting logs and doing the detection. 

I rate Splunk three out of 10 for affordability.

I rate Splunk Enterprise Security seven out of 10. Splunk needs to compete with other products like Microsoft, and right now, it looks like they're losing the race. They need to make drastic changes and accommodate more flexible options and integration solutions. 

I use Splunk to get logs from the on-prem servers and create dashboards, alerts, and visualizations.

Splunk has helped us reduce our alert volume. It has sped up our security investigations. For example, it's easy to detect if there are multiple login failures.

It has saved us a lot of time. We previously used OpenShift to collect CPU and memory data for over 900 clusters, so we needed to log in to each cluster to get the details. Even if it only took one minute per cluster, we would spend 900 minutes doing them all, whereas Splunk can collect all the data in under a minute. 

Splunk's machine learning toolkit helps us predict things like CPU and memory usage. The user interface is excellent, and since I'm using Splunk as a power user, it's easy to create dashboards.  Splunk helps monitor multiple cloud environments. We have OpenShift. All of our VMs and servers are present in the cloud. 

Customizing our commands should be simpler. Creating custom commands in Splunk requires a long, complex process. For example, we have a command to add all the column data, but we don't have a command to get the average of the column data at the end. It would be useful to have a blank at the end to create our commands and leave the rest to others.

We have used Splunk for three and a half years.

I rate Splunk eight out of 10 for stability. 

I rate Splunk seven out of 10 for scalability. The architecture needs to be tweaked, so it might take some time to scale it. 

Setting up the architecture is somewhat difficult, but if you follow the steps laid out in the documentation perfectly, you'll understand how to do it. It's medium difficulty. 

I don't know the exact pricing, but I know that Splunk is more expensive than competing solutions.  At the same time, Splunk provides more features than others, so it's priced fairly. It's worth the money.

I rate Splunk Enterprise Security eight out of 10. SES is an excellent product. While it has some room for improvement, it's constantly adapting and trying to stay ahead of the competition. Adding commands to Splunk can be tedious. Automation, for example, helps to make the task smaller. We use Python scripts for automation. 

We use Splunk Enterprise Security for threat detection on our network devices.

Splunk Enterprise Security excels at threat detection. We've developed multiple correlation searches leveraging security data. These searches identify threats and categorize them by urgency level, enabling our security analysts to prioritize and take swift action.

Splunk Enterprise Security has helped us improve our incident response time. We achieve this by ensuring our queries are completed in near real-time.

Access management focuses on storing and managing access controls, while identity management deals with user identities. For example, if we want to find IP addresses associated with CrowdStrike, we can use access management to look up their IP ranges. Then, we can check if any IPs match by adding them to a specific identity management lookup. Finally, by leveraging the combined identity and access management features of Splunk Enterprise Security, we can create correlations between these entities.

The security dashboard can be customized to display the information we need most quickly. It typically has seven to eight panels, each dedicated to reflecting specific data. While some initial data load time might be present, clicking on a specific panel will display its information as soon as possible. There can be delays in traditional dashboards when searching for specific data. To optimize this, we can create "base searches" within each panel. These predefined searches cover commonly used queries and fields. Alternatively, we can create a "summary index" that holds a longer span of pre-processed data. This summary index allows even large datasets to be displayed quickly when accessed through the dashboard.

Splunk enhances our team collaboration regarding security incidents. When a threat alert is received, we can click on it and choose "investigation in progress" from a dropdown menu. This selection redirects us to a dedicated investigation page for further details. For in-depth analysis, we can drill down into the logs to pinpoint the source of the issue. Additionally, the platform allows us to contact network devices to determine the root cause. Once the issue is resolved, we can close the investigation.

We monitor both AWS and GCP environments using Splunk Enterprise Security. 

Splunk provides threat intelligence capabilities that can be valuable. This, combined with the comprehensive set of dashboards available, allows us to effectively monitor for threats. We can also create custom apps within Splunk for threat detection. These apps can include custom dashboards or reports that display specific information. For example, we could create a dashboard that shows the number of users accessing unknown URLs or another that monitors a particular device for suspicious activity. An example of suspicious activity might be a device where the print command is being executed repeatedly but failing each time. This could indicate a malfunction or, potentially, a malicious attempt to exploit the system. Similarly, a sudden spike in activity, such as millions of clicks on a specific device within a short timeframe, could also be a sign of a threat. By monitoring these parameters within Splunk's threat detection features, we can identify and investigate potential security incidents.

Splunk provides valuable visibility across multiple environments. Whether we have an on-premises or cloud architecture, Splunk offers self-monitoring capabilities. Additionally, depending on our environment, we can leverage existing monitoring tools. For on-premises deployments, we can utilize the Martin Console alongside Splunk for comprehensive monitoring. Cloud environments often come with built-in monitoring handled by the cloud provider's support team. In such cases, Splunk can focus on applications and custom log data for deeper insights.

The threat topology provided by Splunk gives us a comprehensive overview of potential threats. By analyzing queries or notable events, we can identify and neutralize these threats.

Splunk does a good job of analyzing malicious activities.

Splunk has improved our organization's decision-making by centralizing all the information in our environment and allowing us to access multiple dashboards and reports in one place.

Splunk has helped us reduce our alert volume. By using Splunk, we can identify the root causes of failures, which in turn leads to a decrease in alerts.

Splunk accelerates our security investigations by enabling us to resolve issues and document them in Standard Operating Procedures or knowledge-base articles. This facilitates a swifter response to similar incidents in the future.

Splunk Enterprise Security's dashboards are a key asset. They offer comprehensive visibility across our entire environment, allowing us to diagnose and address security issues directly from the interface.

I would like Splunk to offer a quicker and easier way to run queries.

Splunk could improve its cost-efficiency for our organization by offering pre-built architectures tailored to specific environments. This would provide a clearer picture of required licenses and their implementation, ultimately reducing licensing costs.

The presence of multiple layers creates a significant challenge for monitoring across cloud environments.

I am currently using Splunk Enterprise Security.

Splunk Enterprise Security is a very stable product, but there are occasional bugs that can appear.

We can scale Splunk Enterprise Security up or down depending on our demands.

The Splunk support team is helpful. For complex issues or on-demand requests, we raise cases with them. On-demand requests requiring impactful solutions are paid. However, for UK-based users, standard support is free and usually resolves issues efficiently. In some cases, the support team rushes to provide a solution without even looking at the issue.

Positive

The initial deployment can be complex. It involves creating multi-site clusters for each location and configuring a cluster master for each. This is because the cluster master will replicate data across multiple sites, making the environment more complex.

Four people were required for the deployment.

I would rate Splunk Enterprise Security 6 out of 10 because of the complexities that occur at times.

I highly recommend Splunk Enterprise Security for organizations seeking comprehensive security monitoring. Splunk offers a centralized platform to collect and analyze vast amounts of security data. This empowers us to gain full visibility across our entire IT environment, including applications, user activity, and potential security threats. Splunk provides insightful dashboards, reports, and real-time alerts to help proactively identify and address security issues.

While cost is a consideration, prioritizing features over functionalities for SIEM solutions can be risky. It's best to identify your business needs first and then choose an SIEM that offers the most relevant benefits to address those needs.

Splunk Enterprise Security is deployed across multiple locations and departments within our organization.

Splunk Enterprise Security required maintenance.