Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security include supporting production changes, which helps us ensure that we are not going to break the business from a DLP engineer standpoint. From an investigations and operations perspective, it allows us to look into all activities done by any individual, such as which emails they sent or what kind of data they have in their folders. We have logs coming from data at rest and data in motion channels, and all this combined is quite helpful for insider threat and data loss prevention activities.

One of the use cases I leverage Splunk Enterprise Security's dashboards and visualizations for is looking into risky applications. Since we manage the web side, we look into emerging AI applications in the market. Splunk Enterprise Security provides access to logs that show which category of websites are being accessed and what those are. We can see that in a search, yet visualizations dashboards enhance this representation. Instead of writing an SPL every time, any team member can go into a dashboard, input the application name they're interested in, and access all relevant details. These are some use cases, and you can continually build your own with Splunk Enterprise Security providing the platform for those developments while limiting access to only those who need to see the information.

Splunk Enterprise Security plays a role in our organization's strategy to combat insider threats and advanced persistent threats by allowing us to examine how users are affected and the various egress points they are hitting. From my perspective, this is essential as I work in a specific area within cybersecurity.

As a DLP Engineer and Assistant Vice President at a US bank with about 50,000+ employees, I manage the Data Loss Prevention tool, configurations, and deployments. We work across the globe in multiple regions and work on multiple different kinds of tools. Splunk Enterprise Security is leveraged quite heavily to support our DLP functions by creating SPLs for our DLP operations. We also create dashboards and reports that are required, where Splunk Enterprise Security is the single point of connection that allows us to send all the logs across and use the data as we need and see fit.

Due to my role, I have limitations on what I can do in Splunk Enterprise Security, yet for whatever access I have, it's been a very useful tool for detections and investigations. From a DLP standpoint, we look into enabling blocking, and we want to make sure that we are looking into what's happening there and how many people would be affected. Splunk Enterprise Security gives us access to that data, while the DLP platforms themselves provide data too, however, Splunk Enterprise Security's integrations with various inputs from identity and asset management create a single point for all information.

I appreciate the statistics feature of Splunk Enterprise Security since it helps showcase numbers to management. While we can share a long spreadsheet, that's not a good way of sharing data. Although we still share spreadsheets, having statistics, visualizations, and dashboards to showcase security benefits is much more effective.

Any new tooling we bring in and adding that data set helps create much richer data. Different integrations enhance our ability to find the right context for threat analysis and insider threat analysis.

I don't have any metrics regarding how Splunk Enterprise Security has helped reduce our team's average mean time to detect. However, I can think of the practical aspect: we have four different tools with their alerts. When we go into each of those tools, we can see what a user has done. With Splunk Enterprise Security, we can just pop in an SPL, search for the user, and find all the details from different sources in one spot, making it much easier to dive into investigations.

I have many good ideas for how Splunk Enterprise Security can be improved. Our Splunk team attended a session, and it was really good. I see that AI integration would assist analysts in seamlessly looking into data without relying on engineers to write an SPL. With AI integration, they can search different kinds of data that they have access to. The UEBA side looks good, and the Splunk Enterprise Security UI indicates that we are on the right path. I look forward to using and sharing what I've learned with my team regarding different tools in Splunk Enterprise Security that we can leverage to improve processes, provided they are not already using them.

One major return on investment for using Splunk Enterprise Security, from my perspective, is the feedback I provided to the product research team about creating a UI that helps specific team members extract value from the platform. For instance, if a DLP operations analyst accesses the platform, it should guide them to navigate predefined content for their role. That's something I've already mentioned to them, and I'm eager to see what happens next. Currently, it's a blank slate where users can explore, which is good, however, some people might need a push. Training can either be done from start to finish, or with AI integrating everywhere, users could ask questions that would return answers, from creating an SPL to providing results.

I have about ten plus years of experience in IT and security. The last seven years, I've been focused on data security. I've worked on probably more than seven DLP platforms, data loss prevention platforms. And from what I've seen, almost all these companies that I work with, a lot of them leverage Splunk.

I am happy with Splunk Enterprise Security's stability and reliability so far. I haven't seen any drawbacks, although sometimes the search takes a while to return results. That's often due to how I design the search, not the platform's fault. I have fantastic team members who assist me with specific SPLs, which makes it easier. It's just about navigating and understanding the right way to do it.

Splunk Enterprise Security scales well with the growing needs of our company. We have a massive team that supports this, with an amazing team managing all the work around Splunk Enterprise Security ingestions. I keep hearing that the use cases are increasing, and we look forward to what more comes in.

Before adopting Splunk Enterprise Security, we did not use any other solution to address similar needs in our company.

I know that our SOC team does use Splunk Enterprise Security to prioritize and investigate high-fidelity alerts, however, I'm not sure how it helps them specifically. I can say that many different teams in the business use it very heavily.

We do utilize UEBA in our company, yet not Splunk Enterprise Security UEBA from my understanding. I'm not part of those teams, so I wouldn't have an answer for how it specifically functions.

I would rate Splunk Enterprise Security a ten out of ten.

I advise other companies considering Splunk Enterprise Security to recognize that it is utilized by massive companies and is more practical. I would suggest finding what works for their environment and evaluating all related costs as those are important factors. Overall, Splunk Enterprise Security delivers, which is what truly matters.

Splunk Enterprise Security has been used by my company for the past four to five years. I have been with the company for about a year, so I have approximately one year of experience with Splunk Enterprise Security.

Splunk Enterprise Security has various complex use cases. In our environment, the most common use case is SIEM, which stands for security information and event management. This involves security monitoring, including various attacks monitoring and logs coming from firewalls and other devices. We monitor all the devices and networks as well, which is a very effective use case for Splunk Enterprise Security. Another important use case is threat hunting. Since SIEM has all the logs from all the devices, it makes threat hunting very easy and helps us find the source of all attacks or potential attack attempts.

The best part is the user interface, which I would say is very easy to understand compared to other tools. The log ingestion is another feature that I particularly like. It supports almost every device, whether Windows, Linux, firewalls, cloud platforms, media tools, or APIs. Splunk Enterprise Security has a good amount of log ingestion sources. Detection engineering is another valuable feature. It has very good correlation searches and excellent measurement of MITRE ATT&CK mapping. It maps attacks to MITRE techniques in a very good manner.

Splunk Enterprise Security has helped us with faster threat detection compared to other tools since it has centralized logs from all devices and sources. This helps us catch alerts and incidents faster. There is a term for this called Mean Time to Detect. The Mean Time to Detect is very much faster with Splunk Enterprise Security. Since we can detect incidents earlier, the Mean Time to Response also becomes less, which helps us confine and consolidate incidents faster.

In my experience, Splunk Enterprise Security detects incidents approximately 20% much faster than other tools. Since detection is fast, we can analyze and respond to incidents much faster than other SIEM tools.

I really appreciate Splunk Enterprise Security, but I do have some complaints. One complaint is that it is very expensive for organizations. This is a common complaint, but it does perform very well, so that expense becomes an investment. For small teams, it is very hard to manage. There has to be a dedicated team of analysts or engineers hired to manage Splunk Enterprise Security overall. The tuning takes up some time, particularly detection tuning and response mechanisms. I have also heard from my clients that it is resource intensive on their devices, taking a lot of resources which sometimes hampers their work.

The search and query functionality in Splunk Enterprise Security needs to be much faster in the future because it still needs some work. It can be improved significantly. Additionally, one thing that I observed was the time range functionality was not very helpful for me. I wanted it to be very specific and precise, but it included logs from other time zones as well, which was a hassle. Splunk Enterprise Security needs regular updates and upgrades. Instead of doing this quarterly or half-yearly, I would prefer patches to be released as soon as there are any new incidents. Alert fatigue was a complaint recently, but it has been resolved. The AI detections were detecting very false positives, which caused our analysts to experience alert fatigue, and this was not helpful for real incidents.

Splunk Enterprise Security has various types of scalability features and options. Since my company and our clients have demands where they are adding more devices and new servers, with other SIEM tools, we would need some time duration for deployment. With Splunk Enterprise Security, I would say within two to three days, it is easily deployable and easily connected to the client's console and can start monitoring. Splunk Enterprise Security has good scaling possibilities.

We raised some questions to Splunk Enterprise Security support team because there were some incidents which required certain help and it was very urgent. Splunk Enterprise Security community has helped us a lot, but the support team has medium-paced responses. They are not fast enough and not slow enough, but they have medium-paced response times. However, the responses are very detailed and very correct. We did not have to follow up on anything because we got all the answers in one response only.

I did hear that there were pricing options in the support team as well. There was some premium support available at a much higher price. I would say that is a disadvantage because support should be equally accessible to all. There were a few cases which took some time, but overall it was a timely response. If I were to rate the support team, I would give them an eight out of ten.

When I started deploying Splunk Enterprise Security onto my client's environment, it was the first time for me, so I was a complete beginner. From a beginner's perspective, it was very difficult for me. However, once you get hands-on experience and spend some time with it, it can be moderately easy. The deployment of TI feeds was very easy and had no problems. I think if one has enough experience in deploying it, it can be very easy. However, if someone is a beginner, it will be a bit hard for them.

As an analyst, I look at ROI in a different way. I consider how it is actually helping me and whether it would also help if I used some other SIEM tool integrated into my environment. Splunk Enterprise Security has faster detection and response rates. It is approximately 20 to 25% faster than other SIEM tools, which in turn helps in detecting and responding to alerts faster. Overall, if the query search and performance improve even more, I would say it will be a total good investment and we will get our full return on investment.

Apart from Wazuh, there is QRadar. I have some experience with QRadar and Microsoft Sentinel as well.

AI-driven detection is a hit or miss at best because we get hundreds of alerts daily. There are a few incidents where AI-driven detections do give us false positives, but 90% of the time it has helped us in detecting attacks faster and taking action on it.

AI-driven detection basically analyzes patterns and identifies suspicious patterns. Many traditional rules or traditional alerting mechanisms may miss these patterns. This has helped us in making decisions based on incidents which even human analysts cannot determine clearly. This could have happened because AI has all the log sources and all the patterns, making it very easy for AI to correlate these logs and identify a pattern. AI indicates to the analyst that this could be an attack and to please look into it. If a human had to do it, it might take them a lot of time compared to AI.

In my experience, risk-based alerting has been very helpful. In my company, we have set it in a certain way that when we have set certain parameters, if there is some amount of risk, we trigger an investigation or incident or escalate this incident to L2 or L3 accordingly. We have a mechanism where if it is above 50, we alert L1. If it is above 75, we alert L2s. If it is above 90, we alert both L2s and L3s. Risk-based alerting has helped us in segregating these alerts, and because of that, the time of analysts is divided and they can focus on other areas of their expertise.

MITRE ATT&CK mapping, as I have mentioned before, with any incident we get, it easily maps it to MITRE ATT&CK and gives us the whole log or storyline that shows which MITRE attack it is mapped to. Threat topology is based on certain incidents. For example, if it is an unusual user login, it gives us a detailed topology of who the user is, which host the user has logged into, how many login attempts they made, and whether the source IP is known or unknown. Threat topology helps us in these aspects, and MITRE ATT&CK mapping helps us in auditing as well later on.

The credit mainly goes to AI-based detection because of how fast it correlates and works on the logs. The speed at which AI identifies patterns and gives us an alert based on that, indicating this could be a potential attack, is one major reason. Real-time log ingestion from different sources of devices like firewalls, endpoints, EDRs, and network devices is another factor. Since this is happening in real-time with no delay in between, we can catch AI-based attacks which will happen in the future, helping us get an advantage over them. Risk-based alerting also helps in a certain way. Since we know it is of a particular risk level, if it is about 85 or 90 risk, we have to take certain action on it depending on the risk level.

Essentials has helped accelerate detection because it has avoided pre-built correlation rules and MITRE mappings, providing MITRE mappings with dashboards and use cases that can also be built. We do not have to build everything from scratch. It is built on its own, which is a good thing. This helps us with faster deployment and reduced time in creating dashboards and other things.

In percentage terms, Essentials has improved the time taken to detect or respond to an alert by approximately 25%. It is a rough estimate between 25 to 50%. We do depend moderately on Essentials helping us detect alerts faster.

We have built custom threat intelligence feeds in my company which help for certain clients. We built these custom threat intelligence feeds in-house first, and when we insert them into our environment, they specifically look out for malicious IPs or hashes which we provide in the threat intelligence feed. Based on that, if we get any incident or any malicious IP which traditional Splunk Enterprise Security or Essentials cannot detect, the TI feed works well in that case and helps us block the IP and gives the analyst an alert that a malicious IP was found and to please look into it.

It has helped me in prioritizing things. We can prioritize easily. If there is a hit from the TI feed, we can look at it first because it was custom built by us and we know how malicious or bad the reputation is. The best thing is that it reduces the load of checking every time the reputation of an IP or a hash. For example, if we get a normal incident, we have to check the IP and hash to see if it is malicious, check certain platforms or Splunk Enterprise Security or other tools. The effort and navigation fatigue gets reduced, and the TI feed gives the analyst the information directly that this is malicious with references or that this hash is malicious and has been found malicious by these websites. We have also built correlation rules based on the TI feeds. If we get a hit from a TI feed plus AI-driven detection also gives it a suspicious rating that the patterns are suspicious, then it is automatically escalated to our L2s and L3s and they look into it carefully.

Operational visibility is another important aspect. It detects service failures, app crashes, or if any firewall is down or if any devices are down. We will get an alert as soon as possible after a certain time if a device stops responding. The operational visibility is pretty good so far. Compliance support is another benefit. We have many audits quarterly, and it helps in generating reports based on compliance protocols and procedures, whether HIPAA, NIST, or PCI DSS. We get reports very easily.

It gives me more context since it combines all the logs from various sources. One major thing is log validation. One log can be verified across various sources against another source. If we get only failed logins or if we get a failed login incident, we can also see which endpoint it is from or which firewall is connected to it or who is connecting to it and what the user privileges are. This builds stronger confidence overall.

SOAR has helped us a lot in our environment. Consolidating SIEM, SOAR, and UEBA has improved visibility, detection, response speed, and efficiency. SIEM's main use cases detect the alert, UEBA adds some context to it, and SOAR does the rest by automating the alert generation and the required processes that need to be done.

UEBA gives us very deep insight into the behavior of certain users or certain devices. It helps to make a baseline for behavior. UEBA learns the normal user and host behavior. It knows when it is a normal time for a user to log in and when it is unusual. It detects deviations and anomalies such as unusual login time, impossible travel, VPN usage, unusual process execution, or requesting higher privileges.

This happened last week. UEBA helped us detect an impossible travel for a user who was present in the office working with us. UEBA detected that another login was observed from the Philippines, which was very unusual because the user was with us at that moment. We asked the user if they had logged in from a VPN. The user said they did not log in from a VPN. We had to look into it very carefully, and L3s and L2s were brought on to investigate it very carefully. It was then later realized that the user was indeed using company VPN but was not aware of it.

I would say it is a very good tool that everyone should get experience with Splunk Enterprise Security. However, I have heard that it is not accessible to everyone because of its cost, but it is a very good tool and every analyst should have some hands-on experience with it. My overall rating for Splunk Enterprise Security is nine out of ten.

As a security analyst, my main use cases for Splunk Enterprise Security involve reviewing notables. I receive all the alerts and notables in my queue, review them, ensure they're not actual security incidents, and triage them as either true positives, false positives, and so on. I then investigate the true positives.

The features of Splunk Enterprise Security that I appreciate the most include the SPL search. It allows me to get all the data I need, make it beautiful, show it to my boss, and show it to less technical people. It's easy to display the data.

When we have a major incident, we need to move fast and answer quickly. Also, we need to inform non-technical people, so it's easier to show them.

Instead of showing them a raw log that's ugly and hard to read, we can show them a very concise point such as 'This insider threat with this IP address accesses this system,' and pivot wherever needed. It's really useful for data presentation.

Dealing with incidents depends on the type of incident; a major incident can take a few months, while a smaller incident can take from five minutes to five hours. We use Splunk SOAR, and we're starting to use that in Splunk Enterprise Security to automate our response. It's made my life easier because repetitive tasks can be automated with a playbook, and everything gets done in the background without manual triage.

Splunk Enterprise Security helps improve my business's resilience by protecting our enterprise. Every time there's something not working, it's our central log space. Every incident and everything that's not working is in Splunk. The factors that led to adding Splunk involve our relationship with the sales team and our technical contact. We have a very good relationship with them, which helps considerably.

The integration of these security solutions supports my security operations by providing us with better visibility into various types of endpoints. We have custom detections that we make on Splunk, and we also integrate Microsoft Defender alerts into Splunk. I have one place to investigate them all instead of going from product to product.

Splunk Enterprise Security can be improved mainly regarding the UI, which can be daunting at first for newer employees. It's hard to find everything, such as menu locations, dashboard access, and dashboard creation. It's still very complicated and takes a few weeks to understand. The UI could be more user-friendly.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include skills. I've been using it for four years and I don't know everything yet. Finding information and writing complex SPL queries can be challenging. I tried to use external AI, ChatGPT, but they're not very good with it. I know now there's SPL with AI, and we're going to test that.

I have been using Splunk Enterprise Security for about four years.

I would assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few performance issue bugs with very specific use cases, and they were handled quite fast. We reported them to our technical contact, and within a week, it was fixed.

Splunk Enterprise Security scales effectively with the growing needs of our organization. We expand continuously, always adding new detection, new logs, and new systems. In Splunk Cloud, it's very scalable. We never have an issue with that, and we have terabytes of data coming in.

I would evaluate customer service and technical support for Splunk Enterprise Security as very good. This is probably one of the reasons why we have a good relationship and we keep Splunk around.

Positive

Prior to adopting Splunk Enterprise Security, I always used Splunk. At the same time, we use Microsoft Defender Endpoint, however, we don't use their SIEM solution. I use MD alerting too.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security.

I am not directly involved in pushing new detection in Splunk Enterprise Security. However, I do tune detections; if a detection is firing too much or I feel we could edit the detection, I find it quite easy to do. My organization does not use risk-based alerting in Splunk Enterprise Security yet; we're working on it.

The advice I would give to other organizations considering Splunk Enterprise Security is to contact them, contact the sales rep, the tech rep, and ask them for a PoC trial. They're very open with this and even with new features. Before we buy anything new, such as SOAR, Splunk offers us to do a PoC. They give us a license to try it for free for a few months and give feedback if interested or not. For any enterprise thinking about it, I would contact them and get them to do a free trial for a while.

On a scale of one to ten, I rate Splunk Enterprise Security a nine.

My main use cases for Splunk Enterprise Security are basically triage, ensuring cyber threat defence, and improving speed when defending the organization. Since I am the only one currently in the security team, we are growing this year and next, and we're expanding. Splunk Enterprise Security is improving the process to defend, basically.

The features of Splunk Enterprise Security benefit the organization. You can see threats much faster, helping detect something that the antivirus may miss. Splunk Enterprise Security can work with this, and when the antivirus has a hard position, by using proper detection rules that are well-configured, you can see what's going on in real-time, both endpoint-based and network-based.

The features of Splunk Enterprise Security that I find most valuable include Mission Control, which I really appreciate, the way accelerated data functions, making it really fast to see, the integration with SOAR, which is something really cool and integrates with automated processes, and the way to ingest threat intelligence feeds, which is an amazing feature as well.

Splunk Enterprise Security has helped improve my organization's business resilience, as we were able to detect an attack that was happening after hours and prevent it thanks to the detections. We stopped it immediately in a matter of about 30 minutes. Splunk Enterprise Security has improved my ability to predict, identify, and solve problems in real-time; it's not just proactive, but also really predictive. My organization uses Risk-Based Alerting in Splunk Enterprise Security, which speeds up our process to detect and our mean time to respond. It's very helpful, and after we improved the configurations, we have RBA working fine, something that will always be maintained; it may not be perfect, but we do our best to maintain it.

On average, my security ops team takes less than five minutes to remediate security incidents with Splunk Enterprise Security compared to our previous solution, which used to take hours because we needed to see different sites. We are using new threat detection features in Splunk Enterprise Security by ingesting a lot of threat intelligence feeds from our main vendor, which has significantly improved the indicator of compromise, the IOCs detections. We also use Sigma detections and adapt to Splunk.

The on-premise integration with SOAR could be more simple; the cloud version integrates with SOAR very easily, but the on-premise SOAR and on-premise Splunk Enterprise Security are really not that easy, so I would appreciate if that could be improved. 

Additional features that should be included in the next release of Splunk Enterprise Security are the ability to integrate with other software and tool frameworks, beyond Sysmon, to avoid ingesting Sysmon logs from the endpoint, which can be very noisy at times, resulting in more straightforward detection and less resource-intensive licensing.

I have been using Splunk Enterprise Security for four years.

I have experienced downtime, crashes, and performance issues with Splunk Enterprise Security due to a hardware issue, which we were able to quickly fix thanks to the backup recovery. However, it took about one day, and it highlights the need to move to clustering, which I've discussed with my leadership team.

I would assess the stability and reliability of Splunk Enterprise Security as needing clustering. It ensures it remains operational all the time, which means you can see cyber attacks. When it's down, you can't see anything. 

We currently rely on disaster recovery and backup recovery, which takes time to recover, during which you're basically blind, so I'm pushing my leadership team to switch over to a clustering environment for constant availability. Right now, the server we have meets the hardware requirements, and we have moved to new hardware. 

We're considering moving to cluster environments to scale in the future, probably in a couple of years.

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent; when we open tickets for troubleshooting, 99% of the time, it relates to our Linux environment. I have no personal complaints about the support.

Positive

Prior to adopting Splunk Enterprise Security, Splunk was already in place when I came on board at Educational Federal Credit Union.

In the beginning, we were using disparate security solutions that integrate or import data into Splunk Enterprise Security. Now we are adapting to completely switch to the Splunk Enterprise Security side to have a single-pane-of-glass view of everything, minimizing the integrations with the vendors such as EDR, DLP, and the firewall.

I have seen a return on investment with Splunk Enterprise Security. My executive team has noticed improvements; we were able to save on other solutions, which increased budgeting for future projects thanks to Splunk Enterprise Security and the licensing optimization, allowing us to invest in other tools.

My experience with pricing, setup costs, and licensing with Splunk Enterprise Security has been challenging in the past due to the expensive licensing model, which was driven by Sysmon delivering a lot of unnecessary noise. We don't use Splunk just for security; we also use it for other departments. 

We have shared the license between security and development departments, making sure to minimize ingestion logs from the endpoints, including workstations and servers. We are currently leveraging EDR telemetry ingested to Splunk, which saved a lot of licensing money while allowing us to see what we're looking for.

My advice to other organizations considering Splunk Enterprise Security is that it's the leader in SIEM globally. You have a lot of customization and data normalization, meaning you can detect anything you want compared to other SIEMs. Splunk Enterprise Security is worth the investment because it provides exactly what you need if you are a true cyber defender. I also network with friends from a company, Next-Gen Systems, which is leading in detection and investing in developments and integrations with Splunk due to its scalability. 

On a scale of one to ten, I rate Splunk Enterprise Security a ten.

My main use cases for Splunk Enterprise Security are security operation center and incident response.

The Mission Control feature of Splunk Enterprise Security benefits my organization by providing quick alerts, making it easy for the SOC team to navigate events and find threats quickly.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports our security operations effectively because we work with different tools, and Splunk apps support many integrations, so we don't need to write custom ones; it's available by default.

It has supported our SOC by improving it; in looking through many alerts, we can look at only the critical alerts, and the number of alerts investigated by SOC has changed drastically. Currently, my security ops team remediates security incidents with Splunk Enterprise Security within 45 minutes compared to our previous solution.

I would be using Detection Studio, which is one of the new threat detection features in Splunk Enterprise Security that I'm interested in. Splunk Enterprise Security has definitely helped improve my organization's business resilience; it has helped us to pass our SOC 2 audit, and we have good monitoring about security alerts and threats happening.

I assess Splunk's ability to predict, identify, and solve problems in real time as very good.

I would definitely improve the risk-based alerts in Splunk Enterprise Security, helping SOC analysts to get to the drill-down searches.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include writing detection rules for new threats, finding out about the SPL logic, and writing correlation rules. In ES8, we are experiencing some issues with crashes, and whenever we open the correlation rule, it gives a Java error requiring a refresh. We had not seen that error before, however, we are seeing it more frequently in ES 8.1.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security scales absolutely with the growing needs of my organization; it has caught up with our needs, and we use the tool without any pain.

On a scale of one to ten, I would rate Splunk Enterprise Security overall as eight.

We have definitely expanded our usage over the five years; our utilization of Splunk has totally changed.

I would evaluate customer service and technical support as good and satisfactory because it was not satisfactory a few years back, however, now I see some positive changes, which is good.

Positive

I used IBM QRadar.

I would describe my experience with deploying Splunk Enterprise Security as easy thanks to the cloud.

I have seen a return on investment; though it is an expensive tool, we did see return on investment. The integration is a specific example where we see value; the basic integration with different data is easy and more adaptable. As we use more different tools, Splunk Enterprise Security is able to integrate all those things without needing to create custom integration.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security is that it is expensive.

I made a change because IBM QRadar was on-premises, and we were transitioning; we had many challenges with the tool when dealing with big data, and it was not able to catch up, which is why we moved to Splunk Enterprise Security.

I would advise other organizations considering Splunk Enterprise Security to use it and also utilize the built-in ES Content Pack, where you have many rules ready, instead of trying to figure everything out. Use that content pack to start, and once you have the basic fundamental detection rules, then you can expand on it.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

My main use cases for Splunk Enterprise Security are detection, attacks, analysis, and investigation.

The features of Splunk Enterprise Security that I find most valuable are the correlation and correlation data. These features have benefited my organization through the model of investigation, correlating with correlation alerts, and integration with other tools, which is a good point.

In my experience with other tools in previous jobs, the time is reduced by around 70% compared to the previous tool.

My impressions of Splunk's ability to predict, identify, and solve problems in real time are positive. There are points to consider when enriching the data with these kinds of inputs. It is a good opportunity for companies trying to start with this environment, though it might be a challenge for those who have been using it for a long time since it requires identifying the context and use cases.

Splunk Enterprise Security could be improved in the dashboards that provide KPIs about environmental behavior.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include correlation when we have inputs or tools about security, such as Forescout or CrowdStrike, which presents a good challenge.

My organization uses risk-based alerting in Splunk Enterprise Security, yet not optimally, which presents another challenge. My security ops team takes longer to remediate security incidents with Splunk Enterprise Security compared to our previous solution. It is very complex.

I have been using Splunk Enterprise Security for four years.

I would assess the stability and reliability of Splunk Enterprise Security as good. However, it depends on the Splunk architects or the best practices provided by the admins and power users. They should avoid creating bad practices in correlation alerts, queries, and dashboard reports, but overall, it is a good, stable product.

Scaling is smooth in certain functionalities but can be more difficult when involving different areas. When under the same scope, it progresses smoothly.

Customer service and technical support are good. They can sometimes be expensive, but the cost is appropriate given the professionalism in providing reports, diagnostics, and analyses.

We may need more follow-up for remediation, which is sometimes noted as expensive, however, it is acceptable as part of the partnership agreement.

Positive

Prior to adopting Splunk Enterprise Security, I was using another solution, SOAR, to address similar needs. It accomplishes that along with the implementation process, and I need to consider the different policies within the company regarding privileges, roles, and dependencies across different areas.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is part of the onboarding process. We sometimes need to review it based on our needs or use cases we need to apply, and we need to correlate the data with different inputs, sometimes directly from security or IT data.

I have seen a return on investment with Splunk Enterprise Security. If the account executives for Splunk do not explain the implementation process clearly, we may face challenges, as our company's first question is usually about seeing immediate results for the amount spent. We often need to follow a process and achieve a certain maturity level, which requires a prompt response from our management.

Regarding my experience with pricing, setup cost, and licensing, it is good. I saw around 2016 when the license was one option, however, now it is good, although sometimes it depends on the business of the company since we do not always have the budget to increase, decrease, or try to change.

The factors that led me to change to Enterprise include the new improvements. This is the correct path, and next year we will need to review the challenges concerning AI governance, which I plan to use in Splunk Enterprise Security.

Splunk Enterprise Security has helped improve our organization's business resilience. It helps us respond to various needs in our different regions or plants, aiming to obtain critical information to reduce the impact of hacks in our plants.

I would absolutely recommend Splunk Enterprise Security. Every time I have the opportunity to promote or explain how it works, people say it is amazing, and I agree. It is an integrated solution that stands out against competitors, and though it may be expensive, it delivers good quality.

I would rate Splunk Enterprise Security overall a nine on a scale of one to ten, considering the current improvements.

We are currently in beta mode with AI-driven detections, connecting with AI while using Splunk forwarders and API connectors to ingest data from SCADA systems, historian databases, firewalls, endpoint security platforms, and cloud services. So far, the beta platform is working as expected, although we are not fully integrated with AI yet. Splunk Enterprise Security includes threat intelligence feeds, which summarize alerts in bullet points for analysts, helping them investigate incidents.

I use Splunk Enterprise Security as a SIEM management tool that gathers SIEM, log management, and operational monitoring. We are using it to integrate with different systems and centralize logging in one place, where we create rules or alerts that generate when there is a match. We are using that tool as a necessity and for compliance as well.

Risk-based alerting in Splunk Enterprise Security has positively impacted our alert volume and analyst productivity. We currently have a lot of alerts, including out-of-the-box alerts provided by Splunk. The risk-based alerts allow us to create alerts tailored to our needs, significantly impacting our organization by helping us prioritize events that truly matter and reducing false positives in our monitoring environment. For example, if one alert detects malware or a decommissioned user account, the risk-based alerting reduces noise from less severe alerts, allowing analysts to focus on more critical issues without having to investigate low-severity alerts extensively.

The integration of the threat intelligence feed and MITRE ATT&CK framework in Splunk Enterprise Security is significant for discovering the overall scope of incidents. When an alert generates, understanding the attacker's motive helps us recognize how they gain access to our environment, including the tools and techniques they use. Using MITRE tactics alongside threat intelligence feeds adds value to those alerts, allowing us to reduce response times significantly.

The correlation rules and risk-based alert models are effectively detecting threat factors early, enabling analysts to get to work immediately. The correlation rules, threat intelligence, notable event prioritization, and risk-based alerting help navigate the root causes of threats, thus reducing the threat landscape.

My overall experience with Splunk Enterprise Security in the energy sector has been overwhelmingly positive. Splunk Enterprise Security has proven to be a powerful and reliable tool for centralizing logging, monitoring critical infrastructure, creating alerts and reports, and improving both operational and cybersecurity sides. It also provides security, giving us visibility into the OT and IT environments to ingest and correlate large volumes of data. After generating alerts, we detect anomalies and respond to incidents faster, all within a centralized platform. We have approximately fifty software solutions that we are using, and we ingest the logs into Splunk, allowing us to monitor them flexibly and scalably, which fits our organization's needs in a high-volume energy sector environment.

Using Splunk Enterprise Security improves our average mean time to resolve because we aggregate logs from endpoints, IAM logs, spam logs, EDR logs, and firewall logs into a centralized platform. It creates alerts that analysts can prioritize. P1 incidents should be resolved within two hours, demonstrating significant improvement from utilizing the product in our environment. It is a strong platform that faces some challenges, but overall, we receive positive feedback about reducing that mean time.

Before Splunk Enterprise Security was onboarded, finding alerts across multiple dashboards demanded considerable effort. After using Splunk Enterprise Security, we see significant improvement because everything is centralized on one dashboard. Analysts no longer need to look for firewall or EDR alert points individually; all data is accessible on Splunk Enterprise Security's dashboard. The AI model also helps minimize real-time metrics for security events, presenting everything in real time. Analysts can contact customers or end users and complete their analysis in approximately fifteen to twenty minutes, gaining insights about the ongoing environment, detecting anomalies and responding to incidents faster.

In the energy sector, where infrastructure and regulatory requirements are critical, the triage phase's capability allows us to detect significant ransomware attacks early. By triaging incidents right away, we strengthen our visibility and can swiftly take action, such as isolating virtual machines or user accounts, or changing passwords, which helps us assess the risks involved with alerts and how we can remediate them.

Splunk Enterprise Security significantly improves our ability to detect threats faster.

While Splunk Enterprise Security is a great product, I observe a few challenges compared to other products. The first challenge is the licensing cost, which is significantly high, especially for organizations generating a large volume of logs common in the energy sector. The learning curve can also be steep for new users, particularly when working with SPL and building advanced dashboards. Learning SPL, a query language in Splunk, is not hard, but for a newly onboarded analyst, it can be challenging. Building dashboards is easy, but when making special requests for management, it can be tricky. Additionally, Splunk can be resource intensive, requiring careful planning around storage, indexing, and hardware performance. These factors do not diminish the product's value, but they do require thoughtful management and ongoing training to ensure teams leverage their capabilities fully.

I recommend that Splunk improves its pricing model since the pricing is based on the logs ingested, which is currently quite high. Users and admins of the product must pre-plan and thoughtfully manage the logs to fully leverage its capabilities. Reducing pricing would be a great suggestion from my side.

I have been working with Splunk Enterprise Security for three to five years on my current job and probably on my previous job as well.

Regarding reliability and stability, Splunk Enterprise Security is a significant tool. We have not experienced outages or downtime. The documentation states 99.9% availability, and it consistently operates 24/7 without any stability or reliability issues at this time.

From a scalability standpoint, as we transition from a smaller mid-sized company to over one thousand employees, we have not encountered any hiccups or roadblocks using Splunk Enterprise Security. It effectively meets our needs in terms of log ingestion and performance.

Splunk support is quite good; they reply within twenty-four hours. We have opened some support tickets, and they responded promptly to address the root cause of our issues. I would rate Splunk support as very responsive.

We evaluated IBM QRadar, Elastic Stack, and ArcSight through POC, but so far, Splunk Enterprise Security's ecosystem, documentation, and functionalities stand out the most.

My deployment experience with Splunk Enterprise Security was smooth and well-structured. We began by pre-planning the architecture to define indexer, search head, and storage requirements based on expected data volume. Once completed, we deployed the forwarder across various servers, firewalls, and OT gateways, followed by data forwarders from the SCADA system, historian database, and enterprise applications. Once ingestion was stable, we began building dashboards, alerts, and compliance reports tailored to our operational and security needs. Our team required training, which Splunk provided to help us understand how SPL works and how to create dashboards. With their assistance, we started ingesting data and the platform is fully operational. Overall, it was a smooth and standard deployment process.

I participated in the initial setup of Splunk Enterprise Security, serving as the admin of the console overseeing onboarding and offboarding processes.

In terms of improving business resilience, the ROI from Splunk Enterprise Security is significantly positive. Implementing Splunk Enterprise Security has improved our organization's overall resilience by providing real-time visibility in both IT and OT environments, enabling faster anomaly detection and addressing operational disruptions and security threats. With centralized logging, correlation searches, and risk-based alerting, we can identify issues earlier, prioritize events posing high risks, and respond before impacting critical infrastructure or service delivery. This approach reduces downtime, ensures compliance readiness, and enhances continuity across energy operations. By utilizing data from our SCADA systems, network devices, identity platforms, and cloud services, Splunk Enterprise Security supports a more adaptive, informed, and resilient operational posture while ensuring day-to-day reliability and long-term strategic stability.

Compared to other products in the market, Splunk Enterprise Security's standard is much higher, though other options are cheaper.

I am an admin of Splunk Enterprise Security. Currently, we have Splunk Enterprise, and I would consider my role as a user.

We are using the enterprise version, which is best suited for us with a higher top-layer model.

I observe a significant reduction in analyst burnout due to utilizing Splunk Enterprise Security. Analysts face a high risk of burnout working for thirty minutes to several hours on a single alert to find the root cause. However, with everything centralized on a dashboard, burnout rates decline. Splunk Enterprise Security monitors our systems 24/7, allowing analysts on different shifts to evaluate the dashboards in a consistent manner. This standardization of dashboard alerts and reporting has significantly improved our operations and reduced burnout.

Currently, we are on a trial license for third-party vendors ingesting security event data while streamlining incident management. We receive real-time monitoring for threat intelligence feeds, using a SOAR platform for automated response workflows and an AI platform that helps narrow down visibility across our entire energy infrastructure.

Based on my experience with Splunk Enterprise Security in every aspect, I would rate it nine out of ten.

My main use cases for Splunk Enterprise Security are threat detection use cases.

The biggest advantage I can see in Splunk Enterprise Security is the big data analytics. The simple search query with faster responding results is also appealing. My team handles large volumes of cybersecurity data. To be able to search against such a big amount of data with efficiency is the key driver for my team to do threat detection and data analytics.

Splunk Enterprise Security can be improved in many ways. I am very happy to experience the AI-powered security platform they are going to show us in the new version. Better identification of true positives and false positives should be included in future releases.

There is another new term called benign positives. It is better to clearly identify each definition of those terms since it has not been popular in the industry, and everyone needs to be aware of those things.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are the false positive alerts. As mentioned in the keynote, there is a lot of noise. Reducing the noise to make sure the SOC is operating more efficiently is one of the challenges my team is having. The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is not the easiest, however, it is not the most difficult one, so I would say it is medium.

I have been using Splunk Enterprise Security for seven years.

I have experienced downtime, crashes, and performance issues, with the most recent one being a data ingestion issue from another security platform. This key data source is not being ingested, causing some downtime.

Splunk Enterprise Security does not scale efficiently with the growing needs of my organization. Since it is on-premises, we have some scalability issues, and there are other new players coming up.

We have expanded the usage of Splunk Enterprise Security several times.

I would evaluate customer service and technical support as adequate since my team does not deal with it directly. Another team dealt with them, and I found it to be acceptable as they have 24/7 support all over the world. 

They hand over to the next team in another country, but sometimes it takes time to do the transfer, and we have to explain all the problem issues again, which can be frustrating. For that, I would rate it a five.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

My experience with deploying Splunk Enterprise Security is actually another team's job, however, they are doing adequately.

My organization is moving towards risk-based alerting in Splunk Enterprise Security. My team actually built our own risk-based alerting before they released it; however, we are looking forward to integrating both.

Splunk Enterprise Security is doing its job in helping improve my organization's business resilience. There are other competitors in the same field, so I find it neither particularly good nor bad.

I don't directly deal with pricing.

I would advise other organizations considering Splunk Enterprise Security that the new version looks impressive. If organizations want the new, complete package, I would recommend ES Premier, as it combines ES with TIM, UEBA, and SOAR. 

On a scale of one to ten, I would rate Splunk Enterprise Security a seven. I believe ES is doing its job, but it is slightly behind its competitors. 

Other competitor platforms already have AI integrated, and they just announced it today, so it feels somewhat behind. However, I am looking forward to this new feature.

My main use cases for Splunk Enterprise Security are log management and enterprise security. Those are the key.

Splunk Enterprise Security has helped improve my organization's business resilience. We load much of our data and information that we use. It's really helping us in our log management solution, and also for forensics and alert triaging purposes. Forensics is one of the big pieces, along with incident management, IRP, and data management. It's fulfilling all those gaps and helping us mature our security operations.

The features of Splunk Enterprise Security that I enjoy the most include reporting, dashboards, and RBA. These features have benefited my organization since the dashboards and reports help us review security alerts and events in a timely manner. The RBA is what we are currently working on to develop and have some early detection on security alerts and notifications.

Currently, I am using disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations by providing some visibility into security. Yet we have many basic issues where we need to fix the log sources, integration, and quality of the content that's going into Splunk Enterprise Security.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security quite basic. We don't have any sophisticated process. We have contractors and MSSP who are timely filling those gaps, going through the rule review process, going through regular security testing, and prioritizing what is more important as an organization.

Though we have not completely explored the product functionality, Splunk Enterprise Security itself has many features. This morning I was reviewing all the AI capabilities, such as version 8.2 which has included incident triaging and process. That's probably a very good feature. Our organization has very limited resources, so we would want to expand some of those automation and AI capabilities to fill those gaps.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as generally good, with very few downtime, crashes, and performance issues. I've been with the organization for a little over a year. I have seen one or two occasions where the enterprise resources crashed. I haven't really seen any significant issues.

Splunk Enterprise Security works efficiently with scaling growing needs since the distributed architecture is very well planned and easily scalable. All you need is to spin up a few additional resources and you can build your collectors, forwarders, and indexers. It's quite easy. At the same time, it comes with its own complexities since it's an on-premises solution. 

Overall, it performs well. I haven't seen any outages or resource challenges while using it.

I would evaluate customer service and technical support as very responsible. Anytime that we have issues or challenges, I could see they were helping us behind the scenes and going through all these improvements. They were excellent.

Positive

In previous organizations, I have been well-versed with many other SIM tools. QRadar is one prominent tool I used. The McAfee Nitro, which isn't available anymore, was another. RSA NetWitness, RSA enVision, ArcSight were among the many tools I've used. In modern SIM tools, I am more familiar with Sentinel and Google Chronicle. I would say Splunk Enterprise Security has more capabilities, and maturity-wise and roadmap-wise, this product has become much more mature than the other two products I could compare.

I was not present for the deployment.

I have definitely seen a return on investment with Splunk Enterprise Security.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection relate to the RBA, which is something that we were struggling with. We are working with the SIM and our reseller to streamline that process. That's something that's not easy for every organization. We are going through the same turbulence.

My organization does not completely utilize risk-based alerting in Splunk Enterprise Security as it's not fully mature. It is supporting our SOC in a limited way. We still have a long way to go. The product is not completely mature. We are a unique organization, so it requires additional resources to get that work done.

My organization is in the process of expanding our security use cases. It's a multi-year model where we are strategizing and exploring all our security needs. I would say we are still in the early phase. Although we have the product in place, it was not yet mature due to some resource issues.

My advice to other organizations considering Splunk Enterprise Security is that it's a good product. It's definitely helpful. If somebody is looking for security and log management, investigations, incident, and IRP, then they can look into this product and explore it. It's one of the market-leading products. It definitely stays up to the mark. 

On a scale of one to ten, I rate this solution an eight.

In my organization, there are many use cases for Splunk Enterprise Security, including potential risk, brute force attack, malware attack, ransomware attacks, and firewall-related use cases. We also have switch-related, inbound traffic, outbound traffic, login failure, and successful login use cases. I estimate there are more than 150 use cases in our organization.

What I appreciate about Splunk Enterprise Security is that it is very intuitive and basic to use.

The best features of Splunk Enterprise Security that I value include its ease of use, the SPL query language, and its straightforward handling. It provides real-time monitoring and investigation, which are the main features in SPL.

Splunk Enterprise Security helps improve our organization's business resilience because it is very useful for real-time monitoring and investigation. When any incidents occur, we can check and detect them in real-time.

I would like to see improvements in Splunk Enterprise Security regarding the integration of device automation and more automatic use cases in the licensing model, as well as reducing the incident time period and incident remediation time.

The technical support can be improved because sometimes when we call them, the issues are not resolved immediately and tickets take time to be addressed.

I have been working with Splunk Enterprise Security for more than three years.

Splunk Enterprise Security is stable and I have not experienced any downtime or significant performance issues. I rate the stability of Splunk Enterprise Security as good.

Splunk Enterprise Security scales well with the growing needs of my organization, though urgent support is required for projects deployed at customer premises.

I evaluate customer service and technical support from Splunk as requiring the raising of a ticket or calling a toll-free number for any technical issues, which they resolve with assistance.

Before Splunk Enterprise Security, we used RSA NetWitness and also Sentinel.

I am not directly involved in the deployment of Splunk Enterprise Security, but during the integration of devices, we have a team working on the onboarding process.

I have seen a return on investment with Splunk Enterprise Security. It is cost-effective since not many companies are using it right now compared to other SIEM tools.

My experience with pricing, setup cost, and licensing is that Splunk Enterprise Security is very costly compared to other SIEM tools, but the advanced features justify the cost due to its real-time capabilities and user-friendly SPL features as a key differentiator. The licensing is also costly and based on events per second.

I am currently working with Splunk Enterprise Security products and solutions. I work as a Splunk Admin with Splunk Cloud platform and Splunk Enterprise Security.

I do work with Splunk Enterprise Security but not with the Cloud. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security manageable.

There are many tasks we have to perform in the detection of Splunk Enterprise Security, but if we categorize them, we use the SPL commands. We have to use a query language of the SPL command and optimize and sort out the issue in a limited, minimum time period. These are the command lines we use to reduce the time and prioritize the issues.

We use disparate security solutions that integrate or import data into Splunk Enterprise Security, including Windows devices, Linux devices, and firewall devices. Many other devices are integrated, including the three main components of Splunk Enterprise Security: the forwarder, indexer, and search head. The forwarder collects data from different sources such as switches, firewalls, databases, or routers. These are the data sources integrated with our Splunk devices. The log source then collects the forwarder and sends it to the indexer. The indexer parses the logs, licenses the logs, and minimizes the logs in different formats including JSON format and TXT.IDS format. These are the two formats in which we have the logs stored in the indexer. The third component is the search head, where we perform searches in the dashboard and search console by redirecting to the indexer and extracting the necessary data.

My overall impressions of Splunk Enterprise Security's ability to predict, identify, and solve problems in real-time are positive. These include real-time investigation, incident identification, and minimizing the time required for response. The main components include the SPL command as a useful search processing language. We check the logs of the last three to four days and utilize the indexing box, including hot and cold buckets for storing logs. There are five types of buckets in Splunk Enterprise Security for this purpose.

I am using new threat detection features in Splunk Enterprise Security, including malware analysis, phishing email detection, and detection of malicious IPs, malicious tools, and URLs.

We have not faced any challenges in using Splunk Enterprise Security for advanced threat detection.

My organization uses risk-based alerting in Splunk Enterprise Security. We have a threshold in the search console for incidents. When any incident occurs, it can be categorized based on the number of occurrences as minor, moderate, major, or critical alerts depending on the threshold values.

I am not aware of specific enhancements or new features that should be included in future releases of Splunk Enterprise Security.

I decided to switch to Splunk Enterprise Security because my organization uses it and I have received training on it. The integration of devices with Splunk Enterprise Security is a significant factor, as it is a new technology with advanced real-time monitoring features.

The deployment model for Splunk Enterprise Security that I am using is on-premises.

I would advise other organizations considering Splunk Enterprise Security that it is a new product and new technology. It is easy to handle and has a straightforward deployment model. Use cases are also easy to create, and it provides real-time monitoring and incident detection, which is a valuable feature. My overall review rating for Splunk Enterprise Security is seven out of ten.