Splunk Enterprise Security Reviews

My use cases are very limited. I use the product mostly to detect internal threats like data exfiltration.

I am a basic user. The search lookups are useful.

The product must improve insider threat detection. Almost everything is outside in, but not inside out.

I have been using the solution for four years.

The solution is very reliable. I like its stability. It always works.

Sometimes, it takes time when we need additional information or something extra. However, the tool’s able to do it.

I haven’t contacted the support team. I reach out to the internal expert. My searches and my requirements are very basic. The expert is great. He’s always able to help me and guide me.

We do see a return on investment. The product saves us time by automating reports and helping us see data.

The solution helps reduce our mean time to resolve. It’s great to automate some tasks. I believe Splunk has helped improve our organization’s business resilience. We have become stronger in insider threats by just stopping things, being able to show what is leaving, and taking action on it. It's very useful when I try to identify events.

When I started working in my organization, they were using Splunk. Overall, I rate the product a nine out of ten.

We use it for a lot of compliance work and incident reviews. We are also using it for remediation and tracking assets.

We use Splunk not just for security, but we also collect a lot of data from our operational equipment. We are using it a lot for troubleshooting and trending and even for command and control.

It has reduced our mean time to resolve some of the things. We are able to look at the data a lot faster and see what is going on. For some of our use cases, our NOC controllers or our operators are looking at the Splunk dashboard a lot. It is a part of their main job. In one specific use case, we used to take a couple of weeks to do certain maintenance. With Splunk and having the data, we were able to reduce that to just a few hours.

It has helped improve our organization's business resilience. We are able to have the data collected in one spot, see it, and get some insights from it. That has helped a lot.

It has definitely given our technical workforce tools to help with their jobs for troubleshooting and things like that.

From the class that I took this week, being able to create notable events from whatever you find in the data set is pretty useful.

We are waiting for Dashboard Studio to mature a little bit more. There are some things that we are using with Classic Dashboards which have not yet made it to Dashboard Studio. We are waiting for that.

It seems to be limited in terms of predictive features. I took up machine learning a couple of years ago. It seems to have some capabilities there, but I do not have specific things for it right now.

In our organization, we have had it for over five years, but my personal experience with it is very limited.

It has been working for us so far.

We have been able to scale as needed.

I have not contacted their support directly because we have folks who are pretty knowledgeable. I go to them, and then they go to their support if needed. As far as I could tell, their support has been okay. I have not heard of any issues.

We did not have a similar product. Splunk came as a security product, and we have evolved it into doing operational work.

We have folks who do the deployment. I am more on the interface side.

We would have seen an ROI. We are using it for a lot of our operational work and other things as well that are not related to what we are doing on a daily basis. We are looking at logs and other things that our executives are looking for.

Its time to value was within a year or so. There are a lot more things that we could do with Splunk, and that is why we ended up adding some stuff to it to fit our needs.

It is hard to tell whether we had any cost efficiencies because we did not have something like this before. Of course, we have Splunk now.

As a team, we prefer the old pricing model with a perpetual license. We are still evaluating the whole subscription-based model. 

We did not evaluate other solutions. Splunk came in with the modernization effort that we were going through, so it just came with the system.

We are pretty happy with it. I would rate Splunk Enterprise Security a seven out of ten.

Splunk Enterprise Security provides more visibility into endpoints in our environment.

We only monitor AWS, but we also have SaaS services that are in our own clouds. So far, it is easy to monitor our cloud environment with this solution. As long as we ingest our data correctly and tune it, it will read it. It is very easy to use.

It provides end-to-end visibility into our cloud-native environment. This is critical for us because we are always one step away from a security incident, which could impact the company and cost a lot of money. That is our main point of focus.

It provides a risk score for each object, device, or user. We can then take action if they are at a higher risk.

The pricing can be better.

We have been evaluating Splunk Enterprise Security for the last eight months.

I cannot say anything about stability, but I am assuming it would be the same as Splunk. It is an app. It is going to work.

The technical support is above average, but they do not go into the details, so we have a contract with a third party to help us.

There might be more Splunk support tiers, but we are working with SP6. They will get their hands directly onto our Splunk environment, whereas Splunk support does not do that. Maybe there is a different tier that does that, but we do not have that. It is more of an email dialogue. They are not going to VPN into our environment. SP6 is more hands-on. I would rate SP6 a nine out of ten.

We did not use a similar solution. We have Carbon Black for endpoints, but this is going to be a lot bigger than that.

We are still evaluating it. We have not deployed it yet, but I was involved with the deployment of Splunk. 

It was very easy to set it up for evaluation. It is just an installer file. It is an add-on app for Splunk, and if you know how to install Splunk and add-ons, it is easy.

I am fine with the licensing, but in terms of the cost, it is expensive for the data that we have. We have an open discussion with our account rep about this.

We are not evaluating any solutions because we already have Splunk, and we do not want to leave Splunk. I like it, so it is just a matter of making the commitment.

The value that I get from attending Splunk Conferences is going to sessions and learning about what other people are doing and use cases that I have not really thought of. Also, I am able to talk directly to people about questions I have regarding our Splunk instances, and I can get some answers right away. It is very good to know what people are doing because sometimes we do something one way, but we do not know if we are doing it the right way. Here, we can get validation, or realize that we are doing it wrong and make the necessary changes. That is very valuable.

I would rate Splunk Enterprise Security a ten out of ten. Most customers at the conference have already implemented it, except for our company. It is a critical foundation app that allows you to explore other apps that Splunk is grading, and it works.

The use cases are mainly around monitoring for our clients' security operation centers and correlation of events and analytics for incidents that have been identified.

It has really improved things for our clients by reducing false positives. Most of the time, analysts end up wasting their time with false incidents, and that has been drastically reduced by Splunk.

It also definitely helps speed up your security investigations.

The dashboard and reporting are very good. Our clients monitor multiple cloud environments and Splunk helps because, in general, monitoring multiple cloud environments is definitely difficult and very complex. It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk.

The solution is also very good in its threat-hunting capabilities and anomaly detection. It uses an AI-based detection system to identify real-time anomalies and provides complete visibility into the network.

And you can feed multiple threat sources into Splunk and the Threat Intelligence Management feature gives you information about current or potential attacks. It provides complete security support in the threat intelligence space. It helps your administrator to correlate indicators of compromise from threat intelligence databases and feeds.

Also, the Splunk Mission Control feature, which is mainly for Splunk Enterprise Security cloud users, provides a unified and simplified security operations experience for SOC analysts.

We also use the solution's Threat Topology and MITRE ATT&CK framework feature. That's something you need for cyber breaches to contain a threat. This feature comes into play when you need to mitigate an incident in your environment.

While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated. Splunk has integrations with AWS, Azure, and other cloud providers, but when it comes to legacy applications, it is difficult to do a Splunk integration.

We have been working with Splunk Enterprise Security for one and a half years.

It's a very stable solution. 

It is very highly scalable.

The technical support is very good.

Positive

I used IBM Security QRadar. The main reason for switching is that Splunk has the scalability to handle bigger enterprise logs. Log management is the biggest issue in any SIEM. Splunk is able to rapidly grow its capacity.

Our clients' implementations are mostly on-prem and in the cloud.

Splunk is definitely not a cheap solution. It is an expensive product.

If a customer is evaluating SIEM solutions and is considering cheaper products, it depends on the customer's budget and use cases. For a large, enterprise customer with critical infrastructure that needs to be monitored 24/7, obviously, the cheaper solutions may not have the capacity to handle the huge volume of data. Splunk has the SIEM and the scalability as well as visibility features. When you want to monitor your applications and how they are performing, that is where Splunk is very strong.

In terms of maintenance of Splunk, you need to have an IT administrator monitoring it at all times.

When it comes to a large, enterprise customer's critical infrastructure, Splunk is one of the best solutions to use in a security operations center. It has multiple advantages, such as the dashboard that provides complete visibility, and a threat detection system with very advanced features. It is very valuable for any company that wants a good protection system.

You should definitely consider Splunk as one of your options for your SOC.

Splunk Enterprise Security is a SIEM solution we use for security compliance and threat detection. 

Splunk helped us fulfill our requirements for security compliance and auditing. It also protects us from attacks. We can quickly notify our customers if they are facing any attack or breach. 

The solution's analytical features helped us reduce our alert volume by 30 to 40 percent. Splunk significantly speeds up our security investigations. 

I like Splunk's data aggregation and search capabilities. The insider threat detection features are handy, and Splunk's user behavior analytics are solid. It's one of the best tools for UBA. It covers everything. 

Splunk's Threat Intelligence Management draws from 10 to 15 open-source sites in real-time, enabling us to correlate our data with the IOCs. It helps us detect zero-day attacks. Splunk's threat topology and MITRE ATT&CK framework cover everything, including endpoints and application security from Layer 3 to Layer 7. Most queries are available out of the box. 

It's a fantastic tool for monitoring your environment. It allows you to do some granular analysis and see which assets are part of an attack. When breaches occur, you can quickly search your entire environment. It speeds up our threat-hunting process. 

Splunk could add more ways to manage archiving and storage. There isn't a web interface. You can do this on the SaaS version, but the on-premise platform doesn't have this option. It has other things but no option for remote NAS. I would like to have a personal web interface where I can specify how long logs should be stored. To have this readily available on the web, you need to adjust some settings on the backend. That is tricky. 

I have used Splunk Enterprise Security for four years. 

I rate Splunk Enterprise Security nine out of 10 for stability.

I rate Splunk Enterprise Security nine out of 10 for scalability.

I rate Splunk support eight out of 10. 

Positive

Deploying Splunk is straightforward, but it requires some preparation. After you get your platform ready, the onboarding is easy. It isn't rocket science. Configuring visualization is also simple. It doesn't require much maintenance on our end because we have an SLA. 

I work on the technical side, so I don't know precise figures. However, I know that Splunk is a premium product, so it's somewhat costly. Still, you get a lot of unique features for the money. 

You can choose the cheapest solution, but that will only help you achieve compliance in the near term. However, over time, you will begin to realize that there are so many security gaps that your team can't address. You need a solution like Splunk to maintain long-term security compliance. 

I rate Splunk Enterprise Security 10 out of 10. My advice to Splunk users is to keep it simple. You don't need to complicate things or bring in AI and ML. Focus on the fundamentals like data onboarding and extraction, parsing, visualization, etc. Keep your dashboard simple, so it's easy for the end-user to understand. 

We primarily use Splunk Enterprise Security for security incidents and event management. The solution is deployed in one department, but it covers multiple locations worldwide. 

With Splunk, we can monitor and manage enterprise-wide events. It provides a single console for various data sources covering the entire organization, which is critical for compliance purposes.

We can integrate Splunk Enterprise Security with other solutions to automate some security tasks, saving us some time. For example, if you detect potential malware and you want to isolate one system from the organization's network, you don't need to trigger a process. We can fully automate that. Minutes after malware is detected, the machine will be automatically quarantined from the rest of the network. 

You can integrate Splunk with third-party security automation solutions and set rules for automatic response. Splunk can monitor multiple cloud environments, but it's a little tricky if you're working with several vendors. Every cloud environment is slightly different, and some are better integrated.

The visibility into multi-cloud environments is decent. It depends on the number of sources you have, and Splunk is pretty flexible from that perspective. You can add any type of data source. The challenge is the engineering effort some of these data sources require, but others are effortless to manage.

We haven't used the insider threat capabilities yet, but it's an area that we want to explore. We have other tools for this. We use different products for threat intelligence. 

Splunk Enterprise Security could have more pre-built integrations and rules. The detection is fairly accurate, but it depends on the rules you create. Splunk's out-of-the-box configuration isn't that useful. 

If you spend time with your team creating rules specific to your environment, you can get a lot of value from Splunk. At the same time, that requires some additional effort and costs. Splunk has a few built-in integrations that are ready to go. In other cases, we need to build custom solutions, which is more difficult and costly.

I have used Splunk Enterprise Security for about three years. 

It is stable overall. 

Splunk Enterprise Security scales up pretty well. 

I rate Splunk support seven out of 10. There is a little room for improvement. We always start with junior support engineers who lack the experience to deal with complex issues, which are the only problems we ever contact support about. Our staff members can handle most minor issues. 

We typically need to escalate, and we've had an excellent experience with the higher-level engineers. Those qualified engineers are scarce, so I can imagine a situation where two big Splunk customers have significant problems simultaneously, but there aren't enough available technicians. Splunk has the right people but maybe not enough of them. The process could also be improved. 

Neutral

Deploying Splunk was relatively complex. After deployment, it requires some maintenance and management. A team of about 10-15 people is responsible for the solution. 

We deployed Splunk with an in-house team of five to 10 people and some professional support from the vendor. 

We've seen an ROI by automating Splunk Enterprise Security, but automation requires another product and license. 

Splunk Enterprise Security is quite expensive compared to some products on the market. 

The company evaluated a few tools before deciding on Splunk. I used ArcSight at a previous job. Splunk is more flexible than ArcSight, and it has various modules you can purchase to expand the functionality. You don't need to invest in a different solution because you can purchase add-ons for your existing infrastructure. 

It's modular, so you can tailor Splunk to your organization's size, structure, and specific needs. The customer can do it. You don't need to request it from a service provider. 

I rate Splunk Enterprise Security eight out of 10. My advice would be that before deploying Splunk, research some of the company's materials and make sure it meets your cybersecurity requirements. 

You may need to purchase other tools, and the solution might not do everything you want it to do out-of-the-box. Depending on your environment, you'll probably need to invest some time and money into the solution to get the results you want. 

I'm a technical support engineer for Cortex XDR at the moment and in my company, we are selling the Cortex XDR solution to other companies. 

I also have experience with Splunk Enterprise Security and CrowdStrike too; we are using those products in my company. For Splunk Enterprise Security, I am using the Enterprise Security module and base Splunk for developing rules.

The deployment server is very good and is one of the best features of Splunk Enterprise Security for me; you can use that deployment server even for distributing any agents, upgrading automatically, and universal forwarders. Its search is very flexible, allowing you to search anything by typing a sentence.

Splunk Enterprise Security is a wonderful solution, however, the background configuration process could be better as the administration process is very complicated. As an analyst rather than a Splunk engineer, some background configurations might be easier.

I'm working with Splunk Enterprise Security for six months, however, I have been using Splunk for one year.

Splunk Enterprise Security is a very stable product; I have never been in trouble with any stability problems if you set it up correctly.

I would give support a seven out of ten as Splunk Enterprise Security's advanced support is very skillful, however, to reach that advanced support, first they send you some beginner-level support that mostly does not solve problems for me. That said, when they escalate it, it completely finds a solution.

Before Splunk Enterprise Security, I didn't use any other solution.

I did not set up the Splunk Enterprise Security; my admin colleagues from another department set it up for me.

I'm just using and revising the rules. I'm a Cortex admin, so I'm involved in the process for Cortex, not for Splunk Enterprise Security.

My company is a partner with Splunk Enterprise Security. As an engineer and layer two security analyst, I'm solving problems with Splunk Enterprise Security, editing rules on customers, reviewing alerts, and developing rules.

I'm not aware of the price of the tool. My company and other departments arange the licensing. 

On Splunk Enterprise Security, we imported from the content library, specifically from the content management page that contains many rules; we are importing rules from there, enabling rules, and editing them. I'm not a deep down administrator of Splunk Enterprise Security, so I'm not arranging the data models. I'm mostly editing the rules.

On a scale of one to ten, I rate Splunk Enterprise Security an eight out of ten.

We use the solution in our SOC to support SOAR. We use its alerting capabilities and integrate them with our SOAR platform. Additionally, we tie it in with cyber threat intelligence, cyber threat hunting, and adversary emulation tools to identify gaps in our environment and alert us to notable events.

The tool drastically reduces SOC overhead. Its integration with our tool suite is great and helps us correlate events. The solution is also a lot faster than our standalone instances. 

Splunk Enterprise Security helps address our customers' missions. We want to ensure that our environment is secure and safe and detects anomalies and threat actors as soon as possible. 

The solution helps my organization's ability to ingest and normalize data. It has also improved resilience.  

Enterprise Security is expensive. 

I have been working with the product for three years. 

Splunk Enterprise Security is very stable. 

The tool is very scalable. We can deploy agents seamlessly and get reports. 

We have had good success with customer support. We haven't had any issues contacting them and getting problems resolved. 

Splunk Enterprise Security's deployment is hit or miss. Recently, we got UBA. We were able to spin up an environment easily with Terraform. However, the recent upgrade caused many hiccups and slowdowns. We are working with support to resolve them. Some legacy code is choking the system and slowing us. 

We do market evaluation and continuous research every year to check for alternatives to our security tools. 

It seems like the tool is improving. It incorporates AI into the platform to streamline event identification processes. 

Splunk Enterprise Security does a good job. However, we need many analysts to correlate searches and populate data models, and some overheads are needed in any SOC environment. 

We have a lot of data to process from different sources. However, we have only limited data analysts. It takes time to find malicious threats or what we seek. 

No specific metrics are tracked, but we report this to our leadership weekly, focusing on continuous improvement. Regarding reducing the mean time to resolve, especially with our SOAR integration, we can swiftly address major issues by leveraging alerts to initiate tickets. This allows us to notify the teams and address issues immediately. 

I rate the overall product a ten out of ten. I don't think there is another alternative with similar capabilities. 

The solution is primarily for security incident investigation. Whenever a customer wants to monitor the environment for any security incident or events that are occurring, and they want to analyze the incident when virtual issues happen, that's when we propose Splunk. Otherwise, it's difficult to understand what kind of security event is arising in the environment.

The primary feature that is the most valuable is the correlation feature, which helps you analyze the data. If there's a lot of telemetry data at some point, Splunk can take advantage of it. It can handle a large volume of data. 

Now, with big data, AI, and all those things, the amount of security data that is generated is too high. Generally, the other SIMs face trouble when handling big data. However, Splunk itself is a very strong solution for handling lots of data. It helps the SOC team analyze data very well, and it does not crash on handling a large amount. That's a key benefit.

Our customers usually monitor multiple cloud environments. It's not very difficult. There are two ways we use Splunk. One is that they can be multiple cloud environments. The second is that it can be an on-prem and a cloud environment. We are mapping it to our one solution. 

Splunk is very flexible and it's integratable with other solutions

If you want to understand how it can analyze or find out incidents, the visibility is good. The best visibility would always be in the on-prem environment. Then, the cloud, since Splunk is not a native cloud solution like Microsoft's Sentinel, is used. We don't see a lot of challenges if we do a hybrid kind of setup, however.

I'd assess Splunk's insider threat detection capabilities to help find unknown threats or anomalous user behavior at an eight out of ten. Splunk itself uses another agent or another module to do it. Splunk does the job. It's not that it will not do the job; however, it will require more refining than other solutions in the market.

My team uses the Splunk Mission Control, topology, and attach framework features, which are really helpful. We've used it for multiple customers. We take their existing SOC or detection use cases and try to map them to the framework. From a security point of view, it obviously makes a solution more superior. With Splunk, you can catch more security incidents. From a best practice standpoint also, it is a good thing as we can configure the solution, and, according to that configuration, the entire performance is better in terms of security. 

It's very useful for assessing malicious activities or detecting breaches. It's a robust solution. 

We've been able to help customers detect threats faster. It might be 5% to 10% faster in some cases. And since we can analyze large volumes of data, we're not missing any particular data point or data set. That gives us an advantage.

Splunk helps reduce alert volume. You can reduce your alert volume based on your configuration, and it's highly customizable, so it can help you reduce alerts by a lot. It's helped us improve the quality of incidents we receive. 

It's helping customers speed up security investigations somewhat.

It improves the resilience of a company thanks to its ability to quickly analyze data.  

While it's costlier than other solutions, it's highly stable. 

The security orchestration response requires a bit of improvement. 

We'd like to see a more seamless cloud-based integration.

Their mobile features for iOS and Android could be improved in terms of quality of performance. 

I've been using the solution for three and a half years. 

It's a highly stable product even for large customers with diverse environments. For companies that have huge amounts of data even, it does not crash. It's the preferred option when a lot of data is involved. It offers good resilience and improves performance. 

I'd rate the scalability seven out of ten since it is not cloud-native.

Technical support is good. We purchase premium support services.

Positive

I was not involved in the initial setup of the solution. 

The solution is deployed wherever your appliance is. You deploy it where your software team wants to monitor from. Typically, that's headquarters or a company's security center. Splunk then has agents that help devices connect across geographies. For example, while Splunk may be primarily in the UK, it can cover devices via agents across Europe, and the agents can monitor other environments.

We have between two to five people who handle maintenance activities, depending on the client. 

There is a threat intelligence management feature. However, customers don't use it in our case. Typically, customers want something superior in that nature.

Price is a major concern for most customers, big or small. However, price should not be the determining factor when seeking a solution. Users need to think about performance and quality. They need something that will help them prevent security incidents, and they need a product that will be stable. If you can monitor your environment better, you can prevent incidents that may lead to financial loss - and when incidents happen, companies can spend far more dealing with an extended phishing attack than they would on a service like Splunk that will protect them effectively. When it comes to security, while it's not necessary to have the most expensive solution on the market, you should at least seek out a solution that's best suited to your company and its needs.

I'd rate the solution eight out of ten. It's a great option for enterprise-level companies. However, a smaller customer with a smaller budget may not be a good match. They may not need such a powerful solution in any case. That said, if a customer is about to grow a lot, I might suggest Splunk as a primary option. I'd advise potential users to look at the environment size and complexity, consider the budget, and then decide if Splunk makes sense. 

We use Splunk Enterprise Security to monitor our environment.

The threat intelligence and monitoring of Splunk are good. 

We have integrated Splunk Enterprise Security with ServiceNow so whenever there is a detection it will automatically raise a ticket and send it to the appropriate team for analysis. The integration was seamless.

Splunk has helped reduce our alert volume by 20 percent and sped up our security investigations.

It does a good job detecting threats fast.

Splunk's reporting functionality would benefit from enhanced customization capabilities, allowing users to tailor reports to their specific needs for better data visualization and analysis.

I have been using Splunk Enterprise Security for one and a half years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The initial deployment was straightforward.

Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security ten out of ten.

For reporting we don't use the Splunk dashboard, we use Tableau and Power BI.

I would recommend Splunk to others.

While Splunk Enterprise Security offers robust features for large organizations, its cost might be prohibitive for smaller businesses. To address this, I recommend exploring open-source SIEM solutions for small and medium organizations and Splunk for larger organizations.