Splunk Enterprise Security Reviews

Enterprise security is the solution’s most valuable feature.

Its reporting functionality is excellent.

I really like the user interface and how it works.

It’s scalable.

The solution is stable.

You can integrate any other tool or any other solution, including existing solutions, with Splunk. They have a good setup.

The log analysis is something that is good. In general, data analysis is something you can do in Splunk in various ways. You can leverage it as per your requirements or as per your investigations. You can write your own queries and complicated queries, and you can have your own alerts. You can correlate events. It’s very flexible.

It is one of the best tools that I'm using. I don't have any feedback as such right now regarding improvements. I'm not also an expert, so maybe I'm missing something.

Writing queries is a bit complicated sometimes. If they could provide some building queries, that would be great.

It's been a while. For maybe four years, I've used Splunk, however, I'm not an expert on it.

It's a stable solution. We are not going to get rid of it anytime soon. It’s reliable. There are no bugs or glitches and it doesn’t crash or freeze. The performance is good.

The solution scales very well.

I wasn't part of the engineering side, so I never got a chance to contact the support team directly.

We have a SIEM solution, however, now the company is also trying to move to an Excel solution since the automation is better on their side. We aren't going to get rid of it or did not have any other SIEM solution in their mind when they were acquiring it. However, if any XOR solution works perfectly for us, the company might consider moving out of Splunk.

A different organization would have a different setup of Splunk. If you ask me, mostly, it is a simple setup. However, here in my current organization, it is mostly on the cloud, and a lot of things are integrated in a bit of a complex manner. I also understand that this changes from organization to organization in terms of how they will leverage it.

I’ve never looked into ROI and have not been a part of conversations concerning ROI.

I don’t have any idea what the cost of the solution is. I don’t handle the licensing.

A company that wants to leverage Splunk should understand its environment first - including the organization, the network infrastructure, and the overall infrastructure. Then, based on requirements, they should go ahead with any SIEM solution. Splunk is kind of an expensive tool to have. Therefore, the company should be clear about what requirements they have, what they need, and whether they want to use Splunk. It is very crucial to understand your requirements and your network or your environment first before going ahead.

I’d rate the solution eight out of ten.

Overall, it's a good tool. It's a very intelligent tool. It definitely depends on how you are going to use it. However, I love the product. I love Splunk. I want to learn more about it as much as I can.

We primarily use the solution for monitoring, intrusion detection, and prevention. It is mostly a lot of security and network and server monitoring.

It automated the way we look at intrusion detection and prevention. It automatically picks up intrusion attempts within our environment.

The monitoring and the security functionality are the most valuable aspects of the solution.

It is easy to set up.

It is very scalable. 

You can basically make it do whatever you want, from log management and monitoring security, intrusion detection, prevention, and linking to your antivirus to report to it. Having kind of a single point where everything feeds in and create dashboards however you like is useful and works with how many ever systems you want in that dashboard.

I've not come across any areas that need improvement.

I'd like to see more integration with more antivirus systems.

We've used the solution for roughly, one year and a half years.

The solution is highly scalable.

We have four people that use the solution and they were split between infrastructure and security.

We don't have a plan to increase usage as we're almost at capacity with our servers, for our purposes. I don't think we're going to scale it as we're using everything we can from anything we need. However, it's intensely used for security purposes.

Technical support is perfect.

Positive

The initial setup was straightforward. It was done by Splunk entirely. After that, the configuration took a bit of time, however, we bought professional service days from them to help us build the configuration.

The full deployment took about five months due to the fact that we have quite a lot of servers.

I'd rate the experience a five out of five in terms of ease of execution. 

The amount of people you require for deployment and maintenance depends on the complexity of the environment. It can be run and managed by a single person if the environment is not highly complex. If you're talking about probably less than 200 servers, and a couple of network endpoints, one person can manage it easily after it's been configured. Otherwise, I wouldn't be able to say. In more complex environments where you've got several geographical locations, several data centers in geographical locations, and so on, you'd probably need more than one.

Splunk handled the implementation. It was a joint effort between them bringing the knowledge and us doing the actual work.

It's a great investment, especially if you want to strengthen your security stance.

It's yearly a yearly license on a three-year contract. On a three-year contract, you get a discount basically - rather than putting it on a rolling yearly contract.

On pricing, if I base it on the functionality of the system out of the box, I would rate it five out of five.

They have several prepackaged modules you can purchase. For example, for the security type, they have Security Enterprise, with the default products getting security essentials. With Infrastructure, the same. We've got an ITOps enterprise, which again, is payable on top of the standard license. 

It's pretty much how much you can actually build in-house. The difference between AT&T, LogRhythm, and Splunk, while AT&T and LogRhythm are pretty out of the box (it's click and configure), Splunk is highly configurable. 

You can make it do whatever you want to, as long as you know how to edit the configuration files. What ITOps and Security Enterprise do, instead of you having to build all that from the ground up, so the dashboards, the logic behind it, the configuration files, and so on, become prepackaged and pre-installed.

We did test AT&T and LogRhythm as well. We chose this solution as a balance between cost and functionality.

AT&T was a great security tool, however, it lacked a lot of the infrastructure things that Splunk does, in terms of server monitoring and network monitoring. LogRhythm did have a dose, however, at a very prohibitive price. It was almost twice the cost of Splunk.

We've got a version of Splunk Cloud. I'm not sure of which version.

I'd advise users to get more professional service days. You get five professional service days with the product, when you buy the license, usually. Definitely get at least ten more.

You need to have some strategy before. You definitely need a strategy. Before you do your PS days, definitely have a look at your strategy and make sure you've arranged your questions rather diligently. Based on how you think you're going to use the system, where you are where you want to be, just box them into separate parts - security, infrastructure, and monitoring. It's going to make life a lot easier when you talk to consultants as the consultants are very, very knowledgeable. However, you need to ask the right questions.

I'd rate the solution ten out of ten.

It is a very well-organized solution. I find it more user-friendly than ArcSight and QRadar. I can search, and I can do whatever I need in terms of dashboards, reports, etc.

It is the best tool if you have a complex environment or if data ingestion is too huge.

The cluster environment should be improved. We have a cluster. In the Splunk cluster environment, in the case of heavy searches and heavy load, the Splunk cluster goes down, and we have to put it in the maintenance mode to get it back. We are not able to find the actual culprit for this issue. I know that cluster has RF and SF, but it has been down so many times. There should be something in Splunk to help users to find the reason and the solution for such issues.

I would also like to be able to see all the data for internal logs. When we search for internal logs, sometimes, we are not able to find some of the data. For example, when Splunk crashes or something happens, we don't get to know what happened. We tried looking into the internal logs, but we could never figure out the reason from the logs. The information is limited, and it should be improved.

We have been using Splunk for more than four years.

Its scalability is very good. Companies nowadays are totally dependent on tools like Splunk. It is widely used in our organization. We have a huge team that uses it on a daily basis. For onboarding, we have another team, and we also have a team for Splunk monitoring. We have a large amount of data ingestion per day, so our team has more than 25 people in it.

In my current company, I have seen the tickets getting resolved soon. In my previous company, which was a startup, a P1 ticket generally took 24 hours or less. They called us back and resolved it as soon as possible, but if it was a P2 or P3, I have seen them taking a month or more.

We worked with QRadar for some time, but after that, we just came to Splunk.

It is straightforward. The deployment duration totally depends on how you are working.

We have it on-premises as well as on the cloud.

We have an unlimited one, and we pay yearly, but I don't know how much it costs. Previously, I worked for a startup, and when they started building it up, it was complicated for them because they didn't have the budget for that many licenses. It was very costly for them. So, startups might find it a little bit problematic because of the licensing, but for bigger companies, there is no issue.

If it is a complex environment and data ingestion is huge where you want to ingest Syslogs or networking devices logs, you should go with Splunk. It is better than QRadar. Nowadays, the usage of AWS is growing, and that should be taken into consideration when deciding about on-premises or cloud deployment.

I would rate it a nine out of 10. I find it great. I'm very eager to do the Splunk certifications as well.

I work for a government agency and we use Splunk to monitor our Cisco equipment. I'm a senior network engineer and we are customers of Splunk. 

This is a very capable and flexible solution. It's based on Linux and even Windows installations use the Linux file structure. You can use it to gather syslog messages from anything; jet engines, fin-tech financial institutions, banking, regular enterprise, etc. You can gather the messages from network equipment, elevators, anything you can think of that generates syslog, and Splunk it. They also have a good API so you can write your own code to talk to it or interact with it. The solution has a lot of applications that people have written. It's the best solution on the market. 

It would be nice if they had a wizard to construct searches, including more complex searches that include math or statistics. 

I've been using this solution for 10 years. 

The product runs on Linux so it's very stable. It's important to have a well-run SAN environment to store the data. 

The solution can be scaled up to any size of enterprise or agency. I have heard of Splunk installations of over 100 terabytes of licensing.

We used Logrhythm previously but it was not a good fit for our environment. That is why we switched to Splunk.

The initial setup is fairly complex. There's a certain architecture that Splunk utilizes to handle its indexing and it also depends on the size of your deployment. If you have a relatively low amount of gigabytes per day, deployment is simple. And of course it scales to terabyte, so if you have a terabytes installation, there are a lot of additional services that need to be implemented such as licensing servers and clustering. We sometimes configure syslog NG servers to front end the date before it ends up at an indexer. If it's a large terabyte installation, you definitely want to use professional services.

This was implemented through a combination of in house and vendor developers.

n/a

Splunk charges on the basis of gigabytes of incoming log messages per day. Also I would recommend that funds be set aside for Splunk training and certification.

There is a large number of options for training and certification. The more training you have the more useful Splunk becomes. However, right out the gate you can do useful searches due to the search bar design.

The most valuable feature of Splunk is security information and event management(SIEM). Additionally, the solution is easy to use, has useful reports, and good interface.

I have used Splunk within the past 12 months.

Splunk is stable, and this is why many customers want it.

The scalability of Splunk is good. Customers can purchase 100 GB now and if they wanted more, they can immediately add an additional 100. The customer will have to only pay for additional licenses.

I hear that customers usually have support on time from the Splunk team. Generally, they are satisfied with the response they receive from Splunk.

The total time of the implementation depends upon the customer's requirement. The factors that affect the implementation time are the type of use case, the environment of deployment, one location or multiple locations, number of devices, and applications. The requirements play a large role in the time it might take for implementation. You cannot simply explain in one week or one month.

There are two to three people required for the implementation of Splunk.

The price of this solution is expensive. However, it has great features. If you want a great solution you need to pay a price matching the features.

If this solution matches the needs of your use case then I would give it a try.

I rate Splunk a nine out of ten.

Our initial use case was for security investigation, with the intention of creating some use cases. We ended up adding operational aspects, monitoring certain operational activities, such as high CPU utilization or any other applicational basis. 

This is obviously a cloud solution, but it does have some presence on-premises as well, so it's hybrid. 

One of the most valuable features is threat hunting. We can do threat hunting and identify if there is any malicious activity happening within our environment, which is a key feature for us. 

Splunk could be improved by reducing the cost. The cost is one of the biggest challenges for us in keeping to our production requirements. 

As for additional features, I think they need to refine their AI capability. I know that everyone is talking about artificial intelligence and threat hunting, so I guess one of the key requirements for us is for the solution to automatically provide us some kind of indication and then mitigate any risk. So automation should be a feature. 

I have been using Splunk for two years. 

This solution is excellent from a performance and stability perspective. There's very minimal maintenance required. Basically the only aspect we need to maintain is the one we have on-prem. So patching up everything and making sure it has the required updates. 

There are no issues at all in terms of scalability, since this is a cloud-based solution. There are around 25 to 30 users in my company accessing Splunk. 

Splunk's support is good. The process was smooth and they provided sufficient support, so there was no need to escalate anything. Also, they provide training on a regular basis, which is good. 

I have never worked with other similar products. I've worked for three companies, all of which use Splunk. 

The initial setup was very smooth. I think we got some support from the Splunk team. Since it's a cloud-based solution, it took us probably three or four weeks to actually start working. But deploying agents, configuration, refining, fine tuning, and other ongoing activities went on for about a month. 

We implemented through an in-house team with some support from the Splunk team. It was a very smooth process, from our perspective. 

This solution is costly. Splunk is obviously a great product, but you should only choose this product if you need all the features provided. Otherwise, if you don't need all the features to meet your requirements, there are probably other products that will be more cost-effective. It's cost versus the functionality requirement. 

I also evaluated IBM QRadar and LogRhythm NextGen SIEM. 

I work in security architectures, not operations, so I don't actually work with Splunk on a regular basis, but the team that does is working on threat hunting and incident management. 

I rate Splunk an eight out of ten. 

We are currently using it with SIEM, and SOAR which is Security Orchestration, Automation, and Response.

Splunk is primarily used for security, incident response, and security analytics.

Using Splunk, give us the visualization we need, we can easily observe things such as user behavior analytics, irregular traffic, frequency, and any spikes in unusual activity inside the network.

The additional vendors we've brought on board, particularly the Elastic, have been quite beneficial.

It's a solid platform.

Other than the pricing modules, I have no issues with the product itself.

The configuration had a bit of a learning curve.

I would like to learn more about the Cloud solution, but I'm aware that it's lacking some core applications.

If they could bring on more vendors, you would be able to monitor a larger number of applications. We could have visualization with other applications we have with the infrastructure in our organization.

I did a POC, but we have recently procured it. We did a rudimentary setup to get an understanding of how it works. We are into our sixth month of using it now.

Splunk is a very stable solution.

This solution is quite scalable.

In our organization, we have 10 users, who use this solution but we have plans to increase our usage.

The technical support has been quite helpful.

The previous solution was limited in its functionality. 

We were looking at the additional controls that enterprise security may have, as well as visualization, to gain greater visibility.

Splunk offered us more visibility.

The initial setup was complex.

We had some assistance with the actual deployment, but while I was doing the POC, I was working with a vendor. There were things I had to do myself, such as the configuration, which was a bit challenging for me, it was a big learning curve.

For the installation, we received some assistance from the vendor.

It's too early to know if there will be a return on investment.

The pricing modules could be improved.

The licensing fees are paid on a yearly basis.

There is a standard license with provisions for more. As we are still exploring the functionality, there may be other departments that want to use it.

Those who are interested in implementing this solution should be prepared to dig deep into their pockets.

I would rate Splunk a nine out of ten.

I have some experience with the solution, since I am working with customers who are interested in part time help monitoring their network and have been helping them fine-tune the rules in the solution's platform. The way the primary task works is to watch for and then respond to the threat. Should there be a need, I usually work with a team in fine-tuning the rules on this platform. We are providing the products.

I recently started working primarily on the Playbooks of the Splunk Phantom, so I've been creating some of these to help the customer automate the process of responding to the threats.

What is nice about the solution is that it makes it easy to build the queries, search for the events and then do analysis. I recently have become involved in the Playbooks, since it is painful for the client to respond to the threat, be it positive or negative. As such, I currently see the Phantom component of the solution to be of great value. Otherwise, most other features seem to be similar to Netwitness, such as the monitor log, network, and endpoint capabilities. Importantly, the solution lacks endpoint options, as these are currently deployed on Cisco, which is okay, as it works fine with that bad side of the endpoint security. This translates into them building queries, rules and then Playbooks. 

The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand.

Endpoint access is the only issue I can think to mention, even though the endpoint access we have with Cisco is fine. 

I have been engaged in the production environment of Splunk for around a year and have been reading up on it for a long time.

I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. 

Splunk allows one to easily scale up this platform. One can add more interfaces to that platform if he gets more data. 

I usually rely on the Splunk community for information, such as discussions of incidents and other issues which others are facing. I feel the Splunk community to be an excellent source of information for me.

Out of the three platforms I have been dealing with, I feel the initial setup of Splunk to be the easiest. I found it a bit difficult to set up a new environment with RSA Netwitness. Splunk, on the other hand, I have found to be very straightforward and an uncomplex platform. 

I have been proposing to management to take the solution to be a primary product in our dealings with it. We do not encounter many issues involving the solution. One of the problems I have with the RSA Netwitness platform is its complexity. Splunk is straightforward for us when it comes to views and it provides us the network security posture.

The ability for the solution to work with Cisco shows that the solution can work with other products. The only thing is that when the solution is compared with other vendors, one sees that there is only a single other vendor that has endpoint security like this one, Netwitness platform having its component for the endpoint. This is why an integrated endpoint would be a nice feature, even though the solution works on Cisco. 

The main advantage of the solution is that it provides an easy setup platform in the new environment. When set up afresh, it is also easy to build queries. Historical queries can be used to site for a new event, which makes it easy to use, deploy and understand. 

When it comes to a data platform, there is RSA NetWitness, which may also be a good platform. I have not done much training of my own on Splunk, but have gained much experience through learning and working with clients that I support. This is because the platform is understandable. 

I would rate Splunk as one of the big five platforms. I would give it a high rating based on the efficiency of the platform. Clearly, I cannot include Wazuh in the top five categories, as its rating is not up there with Splunk, Qradar and LogRythm.

I cannot think of anything disadvantageous about Splunk, as we are talking about a product that I like. I feel the solution has beautiful features. 

The decision to go with Splunk would depend on the business needs of the individual. I know that Splunk has both a cloud and an on-premises option. Sometimes, such as when it comes to conferences, there is no need to move some of the data to the cloud for the purpose of complying with regional requirements. There may be a need to retain some of it and a person might wish for a mixture of on-cloud and on-premises capabilities.

I rate Splunk as an eight out of ten. It is a robust platform and easy to use.