Splunk Enterprise Security Reviews

We use Splunk Enterprise Security to monitor our environment.

The threat intelligence and monitoring of Splunk are good. 

We have integrated Splunk Enterprise Security with ServiceNow so whenever there is a detection it will automatically raise a ticket and send it to the appropriate team for analysis. The integration was seamless.

Splunk has helped reduce our alert volume by 20 percent and sped up our security investigations.

It does a good job detecting threats fast.

Splunk's reporting functionality would benefit from enhanced customization capabilities, allowing users to tailor reports to their specific needs for better data visualization and analysis.

I have been using Splunk Enterprise Security for one and a half years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The initial deployment was straightforward.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security ten out of ten.

For reporting we don't use the Splunk dashboard, we use Tableau and Power BI.

I would recommend Splunk to others.

While Splunk Enterprise Security offers robust features for large organizations, its cost might be prohibitive for smaller businesses. To address this, I recommend exploring open-source SIEM solutions for small and medium organizations and Splunk for larger organizations.

We use Splunk Enterprise Security for 24-hour monitoring and security log checks.

It is easy to monitor multiple cloud environments with Splunk Enterprise Security. The visibility into multi-cloud environments is good.

We have some open-source tools integrated with Splunk that help with threat intelligence.

Even though we already have several SIEM solutions in place, their similarities make adopting Splunk Enterprise Security a breeze.

Splunk Enterprise Security helps speed up our investigations.

Splunk Enterprise Security is complicated in terms of developing specific cybersecurity use cases.

Our alert volume is still high and we are working on reducing those.

I have been using Splunk Enterprise Security for six months.

Splunk Enterprise Security is stable.

The technical support was responsive and knowledgeable.

Neutral

Compared to Sumo Logic which is organized, Splunk Enterprise Security is complicated.

While the deployment was straightforward, it took a few months to complete because we had to make customizations to fit our specific environment.

Splunk is priced similarly to other SIEM solutions.

We evaluated several solutions and selected Splunk due to the functionality and cost. 

I would rate Splunk Enterprise Security seven out of ten.

We're currently integrating our log sources with Splunk. Once logs are flowing, we'll deploy security monitoring use cases with alerts. We'll then explore Splunk's further capabilities.

We're using the solution for log analysis and our internal infrastructure. We may use it for customer offering at some point, but currently, it's completely internal.

The solution's most valuable features are the granularity and analysis of the logs. Once you learn the syntax, it's a great tool. These features are important to us because they enable us to drill down to certain users doing certain things and perform trend analysis.

I have been using Splunk Enterprise Security for well over a year.

We’ve had no issues with the solution’s stability.

We have 90,000 users and deal with massive amounts of data volume.

The solution’s technical support is fantastic.

Positive

We were using IBM's TSM backup tool and our own internal tool. We switched to Splunk Enterprise Security because we wanted to be more of a cloud-forward company and didn't want to host everything on-premises.

We installed the solution mostly by ourselves, but we did have a little help. We installed heavy forwarders at a relatively low cost. Since we already had a VMware environment, we just set up the VMs for the forwarding.

We have seen a return on investment with the tool in terms of seeing what users are doing.

Splunk Enterprise Security incurs a significant cost because of the amount of data we send, but we are fine with the value we're getting for that price.

The tool provides much more insight into what users and our apps do. We also use the solution to monitor a lot of machine-to-machine traffic.

We have a hybrid environment. All of our internal tooling is in our internal data centers, but we also have a big cloud presence for some of our other tooling and mostly for our customers. Speaking from the internal side, Splunk Enterprise Security has been fantastic in helping us find all kinds of security events every day.

Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data. The solution has helped us have everything in one place and grab everything at once. The tool has also helped us solve problems in real time. The Ops team will approach us when they are stuck with a problem ticket. We can look instantly, see what's happening, and track it down.

The solution provides us with the relevant context to help guide our investigations. This context information makes things easier and faster for us. We get more information about exactly what's going on.

Splunk Enterprise Security has helped us save around 50% of our time.

Splunk Enterprise Security has helped reduce our mean time to resolve by 50%.

Overall, I rate the solution ten out of ten.

We use Splunk for monitoring and investigation and recently integrated it with ServiceNow. It's a SOC tool, and any malicious activities on the client's side trigger an alert here. 

Splunk has improved our operations by giving us access to more information and allowing us to deploy more use cases. We have integrated Splunk with ServiceNow, so the information from the queries running on the back end is now directly forwarded to the analysts, reducing the manual work. We are pulling data from Splunk into ServiceNow, so the security analysts have all the user details to conduct their investigations. 

It's easy to monitor multiple environments with Splunk. The cloud model is better than the previous on-premises version. The custom dashboards are helpful. We have created multiple dashboards for user activity, logins, phishing, etc. If you miss an alert, you can check the dashboards. For example, if you need to check some user activity, we have a dashboard for Azure Active Directory, and Mimecast is integrated for monitoring email-based attacks like phishing. It throws the information up on the dashboard when we get an alert.

The monitoring aspect of Splunk could be improved. We have to do some queries to get as much information as CrowdStrike or other solutions provide. If you run a big query, you will see a delay. That is the only concern we have because it will take some time if you query large data sets. 

I have used Splunk for more than three years.

I rate Splunk 10 out of 10 for stability. 

Splunk is a highly scalable product. 

I rate Splunk support 10 out of 10.

Positive

Deploying Splunk is somewhat complex, and it requires maintenance afterward. 

Splunk is expensive based on our current requirements, but it's obviously worth what we pay. 

I rate Splunk Enterprise Security nine out of 10. I see Splunk as a monitoring tool, not as a security tool. It provides alerts, and we conduct an analysis and investigation based on the information we receive. I believe having another sandbox integrated with Splunk will be helpful for the investigator.

We use Splunk daily to find the root cause of attacks and analyze users attempting to access our system. We create incidents and address 5 to 7 simultaneously. Once we analyze and record the activity, we can delete the incident. Our admin team will verify whether it originated externally or internally. 

We use Splunk to respond to security incidents and for data analytics. We conduct custom correlations for the customer and write reports on any attacks. We set alerts for user behavior to discover threats, like if someone is constantly attempting to access our internal domain. The admin will identify that threat and block it. 

Splunk helps us be more proactive. We can take predictive action to identify and block threats so that nothing harmful gets into the system. With Splunk, we can monitor the entire environment from one place. It's a single point of control for all infrastructure, whether in the cloud or on-premise. Splunk has sped up our security investigations. 

I like Splunk's Notable Events. We have created several dashboards for our customers, where you can see the activity and number of alerts. The database receives data about the mask and domain IPs of any user trying to gain access.  We ingest logs from multiple antivirus products and firewalls and analyze them to prevent attacks and threat activities.

Splunk could have more built-in use case presets that customers can build on and customize. 

I have used Splunk for 9 years. 

Splunk is a stable product.

I rate Splunk technical support 8 out of 10. 

Positive

We previously used Dynatrace but switched to Splunk because it has more features. 

Splunk is easy to deploy if you have some basic knowledge. You need experience. It doesn't require any maintenance after deployment. 

Splunk is a good value for the features it provides. The license is costly, but it's better than the other tools. 

I rate Splunk Enterprise Security 8 out of 10. I would recommend Splunk to others. It's one of the most powerful tools available. It's a valuable tool for monitoring infrastructure. 

We use Splunk Enterprise Security for security correlation and event management.

Splunk Enterprise Security is deployed as a hybrid model where the core component is on the cloud and is integrated with an on-premises solution.

Splunk Enterprise Security offers strong visibility through readily available use cases and supports integrations with most standard log sources. Its search capabilities are also commendable. Compared to other tools, Splunk Enterprise Security delivers superior visibility.

While we haven't integrated UEBA yet, it's in our plans. As a proactive monitoring solution, UEBA offers several benefits. It can identify Indicators of Compromise based on historical threat intelligence and generate alerts for suspicious activities. This allows us to potentially detect compromised accounts or ongoing attacks before they cause significant damage.

Splunk offers its threat intelligence service, which helps prevent IP replication and malicious threats. This information can be integrated or configured for our specific use cases, delivering more relevant and high-value insights.

Threat topology and MITRE ATT&CK are frameworks used to understand and analyze attack patterns and techniques, which can then be used to formulate and refine IOCs.

Splunk Enterprise Security's effectiveness in analyzing malicious activities or detecting breaches depends heavily on its configuration and correlation settings. Therefore, it's impossible to definitively label any tool as inherently good or bad. Ultimately, its success hinges on the organization's implementation. This includes onboarding the tool with the appropriate block sources for security detection, employing a sound risk assessment methodology, and aligning the tool's capabilities with both business and security use cases. When configured correctly, Splunk Enterprise Security can undoubtedly contribute to improvements in MTTD and MTDL.

Splunk Enterprise Security helps us detect threats faster. It allows us to define use cases, integrate with multiple threat feeds, and even connect to vulnerability solutions. In essence, by configuring all relevant log sources and defining appropriate use cases, we can achieve the primary objective of any SIEM solution: reducing mean time to protection.

Splunk Enterprise Security has reduced our investigative time by 25 percent by consolidating all logs into a central console. This eliminates the need to log into individual tools for log retrieval.

Splunk Enterprise Security helps reduce the number of false positive alerts.

In terms of monitoring capabilities, Splunk Enterprise Security performs adequately. However, its user interface requires training for efficient use. Compared to competitors like IBM QRadar, McAfee Nitro, and RSA Security Analytics, Splunk has a steeper learning curve, making it feel less user-friendly.

I have been using Splunk Enterprise Security for almost four months.

We use a licensed third-party Splunk partner for support, and I haven't heard of any issues so far.

Compared to IBM QRadar, Splunk Enterprise Security offers faster alert resolution. Its superior indexing and searching capabilities deliver quicker query results. While QRadar boasts a more user-friendly interface, Splunk provides numerous pre-built use cases that effectively reduce false positives and feature comprehensive application dashboards.

For instance, I encountered a use case unavailable in QRadar which appears to utilize the Cyber Kill Chain framework. MITRE ATT&CK enjoys wider adoption, and Splunk leverages this framework whereas QRadar persists with the Cyber Kill Chain. Additionally, Splunk integrates with a third-party app exchange, offering functionalities like vulnerability dashboards, threat intelligence, correlation dashboards, and EPS dashboards. This extensive library of applications caters to diverse business use cases. Users can install these applications as needed, making Splunk a highly customizable and feature-rich solution. Although undeniably expensive, its capabilities justify the cost.

While Splunk is a powerful enterprise tool, I'm new to it myself. I've heard Splunk is often preferred over other options, but the cost can be prohibitive for smaller organizations.

There are cheaper SIEMs available, but they require much more manual configuration, typically by developers with scripting knowledge. Splunk does not require this manual configuration, and its parsing, indexing, and visibility are superior.

Based on the limited time I have been using the solution and the feedback I have received from other users, I would rate Splunk Enterprise Security a six out of ten.

Without a SIEM solution, we rely on individual point solution consoles. For example, logging into a firewall reveals only local logs. Imagine the firewall detects suspicious IPs generating unusual traffic. Confirming this as a true or false positive is difficult solely based on firewall rules. Conversely, a SIEM offers multiple options for correlation. Say the firewall denies traffic, and threat intelligence identifies the source IP as malicious. Additionally, web server logs might show suspicious activity or bad actors attempting an attack. With multiple logs and threat indicators, the chance of false positives drops significantly. Correlation enables confirmation of genuine traffic versus malicious activity. Without a SIEM, pinpointing true attacks from false positives becomes challenging.

I utilize Splunk Enterprise Security to gather logs, and subsequently, I provide the team with access to the servers through a change management ticket or incident. I wasn't involved in the installation process during my tenure as a Windows server lead. I also verify whether all our actions adhere to the compliance framework.

Our deployment of Splunk Enterprise Security was all on-premises.

The visibility that Splunk Enterprise Security provides is beneficial and valuable.

Splunk Enterprise Security helped analyze malicious activities.

With Splunk Enterprise Security we were able to detect threats faster.

Splunk Enterprise Security contributed to a reduction in alert volume as our employees became aware of being monitored and ceased accessing the server without proper authorization.

Splunk Enterprise Security has significantly accelerated our security investigations by centralizing all log data and enabling us to quickly retrieve the necessary information through simple queries.

The most valuable features are the logs, which allow us to identify what happened and who interacted with the web repository.

Some of the queries are difficult to run and have room for improvement.

I am currently using Splunk Enterprise Security. 

I would rate the stability of Splunk Enterprise Security ten out of ten. We have never had an issue with stability.

Splunk Enterprise Security is scalable.

Splunk Enterprise Security's resilience is a valuable asset.

Organizations seeking a more affordable solution should first carefully evaluate their specific business requirements. While cheaper alternatives exist, they may lack the necessary features to adequately address their security needs. In such cases, Splunk Enterprise Security could be a more suitable option.

Splunk Enterprise Security is a worthwhile investment given the comprehensive range of features it offers.

I would rate Splunk Enterprise Security eight out of ten.

I recommend Splunk Enterprise Security.

We use Splunk Enterprise Security to identify and resolve critical issues and errors within our environment.

The visibility that Splunk Enterprise Security provides is good. We can easily find the data we need using the logs.

Monitoring multiple cloud environments using Splunk Enterprise Security was not difficult.

Splunk Enterprise Security's insider threat detection capabilities enable us to effortlessly identify unknown threats and anonymous user behavior.

Splunk Enterprise Security helped us analyze malicious activities and detect breaches between 50 to 90 percent faster.

Splunk Enterprise Security has helped reduce alert volumes by up to 90 percent.

Splunk Enterprise Security has helped speed up our security investigation time by almost 90 percent.

The most valuable feature of Splunk Enterprise Security is the comprehensive logging capabilities it provides.

The price of Splunk Enterprise Security is high and can be improved.

Given the ever-increasing number of threats, I would like Splunk to update its threat signatures more frequently.

I have been using Splunk Enterprise Security for one and a half years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The resilience of Splunk allows organizations to protect their data and resolve vulnerabilities quickly.

The technical support provides good resolution.

Positive

I had previously used Loggly, developed by SolarWinds and Elastic. However, I found it to be inaccurate and slow. Elastic offers a free version of its solution, which is more commonly used by smaller businesses.

The implementation was completed by a third party.

Splunk Enterprise Security is expensive. I would rate the cost an eight out of ten with ten being the most expensive.

I recommend Splunk Enterprise Security over cheaper SIEM solutions because of its offerings.

I would rate Splunk Enterprise Security nine out of ten.

Splunk Enterprise Security does not require any maintenance. It is plug-and-play.

I recommend Splunk Enterprise Security for organizations that want to detect threats quickly.