Splunk Enterprise Security Reviews

I use Splunk Enterprise Security for monitoring, threat hunting, and quick response. By implementing Splunk Enterprise Security I aimed to address security challenges and threats for both myself and my clients.

Splunk Enterprise Security has significantly improved our organization by centralizing data and enabling efficient correlation across multiple vectors. The benefits were realized quickly after deployment, with noticeable improvements within the first three to six months.

Splunk Enterprise Security has sped up my security investigations, approximately by 30-40%.

The most valuable features of Splunk Enterprise Security are its high-performance data collection, flexible query language, and its versatility across the organization. The unique query language, once mastered, provides flexibility, and the tool extends beyond just security, benefiting network and development teams. This versatility and speed in searching and trend identification enable quick defense for my clients. For me, it is about fast detection, rapid response, and easy access to crucial data.

Splunk Enterprise Security could improve in automation, flexibility, and providing more content out of the box. The effort required for tuning and management is higher compared to some other solutions. Focusing on automation and reducing the engineering effort would enhance its effectiveness. I would like a store platform similar to what Sentinel offers to be included in the next release of Splunk Enterprise Security. Additionally, the pricing structure needs improvement.

I have been using Splunk Enterprise Security since 2016.

The stability of the solution is quite good.

The scalability of Splunk Enterprise Security is good. The solution is stable and performance-driven, making it well-suited for scalability.

The community support for Splunk is excellent, with an engaged user community. However, for the standard technical support, unless you opt for the premium, I would rate the support as three on a scale of one to ten. It is not as helpful as desired.

Before Splunk Enterprise Security, I used various solutions, including LogRhythm. I chose Splunk because it proved to be more stable and reliable, especially compared to the issues I experienced with LogRhythm. With Splunk Enterprise Security, it takes my analysts approximately 30-40% less time to resolve alerts compared to our previous solution.

Monitoring multiple cloud environments using Splunk Enterprise Security dashboards is moderately easy, around a six out of ten. Setting it up requires a fair amount of engineering effort, especially for non-Splunk Cloud environments like Azure and GCP. Once configured, monitoring becomes straightforward, allowing easy creation of use cases and efficient log monitoring for improved cloud security.

The initial deployment of Splunk Enterprise Security was complex, involving significant engineering effort and tuning. It took anywhere from three to twelve months, which is considered a relatively long time. In comparison, deploying Microsoft solutions typically takes around six weeks on average, which is a significant difference in deployment efficiency.

The implementation strategy for Splunk Enterprise Security involved workshops, high-level design approval, and phased deployment covering physical deployment, log collection, testing, and tuning. Typically, three people from my team (project manager, lead engineer, and lead analyst) and around half a person from the customer's side are involved. Maintenance is substantial, requiring a team of 13 engineers for 60 customers, ensuring not everything breaks simultaneously.

I find Splunk Enterprise Security to be overly expensive, and their pricing model lacks flexibility. There is no consumption-based pricing, and dealing with Splunk can be challenging. They seem rigid, less accommodating, and often don't listen to customer needs. A more flexible and customer-friendly pricing approach, aligning with industry trends, would be appreciated.

Before choosing Splunk, I evaluated other options, including QRadar. However, if I were to evaluate them today, my choice might be different.

If you are willing to invest in engineering effort, Splunk Enterprise Security provides excellent visibility into multiple environments, including cloud, on-premises, and hybrid setups. While some solutions may require less effort, Splunk is capable and versatile, making it a strong choice for comprehensive visibility across diverse IT environments.

Assessing threat detection capabilities in Splunk Enterprise Security is like evaluating how easy it is to drive a car. It provides powerful tools, but mastering the query language for utilizing these features requires effort. Once you know how to use them, it becomes an effective tool for detecting unknown threats and monitoring user behavior.

I use the Splunk Mission Control feature, which is highly important to my security operations. It is particularly valuable for multi-tenant and multi-site mission control scenarios. The Splunk Mission Control feature is effective for centralizing threat intelligence and ticketing system data when dealing with a single entity or group. However, its usefulness diminishes when managing multiple customers with diverse policies and groups.

The features in Splunk for discovering the overall scope of an incident, including the topography aspect, are considered industry standards. However, the topography feature is not particularly useful in my case, so I don't extensively use it.

Splunk Enterprise Security is effective for analyzing malicious activities and detecting breaches, especially if you invest the effort. However, newer solutions are considered better and more flexible. While Splunk was an industry leader five years ago, today, platforms like Microsoft Sentinel may outshine it in terms of ease of use, especially for users unfamiliar with Splunk.

Splunk Enterprise Security has helped me detect threats faster compared to other solutions. It stands out in terms of speed and effectiveness.

My advice to others is that if you are looking for the cheapest solution, Splunk may not be the right choice. Consider alternatives like LogPoint or Arctic Wolf, but be cautious as they might not offer the quality and capabilities needed for effective security. Sometimes it is better to invest in a more robust solution than settling for a cheap option that might not meet your requirements. Overall, I would rate the solution as a six out of ten, mostly because of its pricing.

We use the product mostly just to pull out the reports, medical investigations, et cetera. As a security analyst, we can look at and pull data. You can make a central hub for a lot of different sources, including servers and endpoints. It makes it easy to check logs for every device connected.

If you are a data analyst, security analyst, or anyone who basically requires a set of data in your database job, and you have to have normalized data represented or, just to check for any patterns, this is quite helpful. With Splunk, you can pull in the data, you can transform it, and represent the data via graphs or pull the data and export it into Excel and perform further investigations. The use cases are quite deep. 

With this product, you can go for an in-depth search or just perform a surface-level search. There are different modes in which you can perform searches, and that basically defines the speed of how fast you can get the data. If you are going for a more detailed version offered, it'll take a bit of time. However, they'll give you more and more data. There's also a fast mode in it. 

The data which you can pull, you can basically visualize it, you can normalize the data, evaluate it, and convert the data into tables. It's much easier to pull the data, organize it, and normalize it as you are performing the searches. That's quite helpful.

I prefer working with cloud infrastructure like this as you can increase the storage capacity or the license at any time and search for a number of different endpoints. If you want to ingest more and more data, having something like Splunk available on the cloud is preferable. 

I take advantage of the incident response part of the solution. If anything happens at the endpoint, if anything happens at the user system, servers, or something like that, my role is to look into the logs, go through other investigations, perform a time scan, and create a timeline of all the events. This helps do that job.

I'm also aware they have a Mission Control. I have actually attended a few surveys on that, however, I haven't really implemented it due to the fact that we are in the middle of a few of the projects, and things are at higher priority as of now. So we haven't really focused on that.

Using Splunk, we can check out what server versions we have. If we just cross-check with the database, we can see if we have any availability and then we can pull in the files. If you have a database, you can perform a query to check for any particular problems in the entire environment. For the threat notifications, it's quite helpful.

Indirectly, it's helped us reduce our alert volume. If you have a list of files, you can run it through the environment and, based on that, create rules and exceptions. This indirectly helps reduce alert amounts. You can go through false positives and sort them out as well and create a rule against them. 

It's helped speed up security investigations. Being a central hub of logs, we can jump into a different log or source and jump into any investigation. You don't have to jump from one tool to another. This automatically reduces the investigation time. 

There are lots of free learning materials on their website. 

Overall, things are quite easy. It's a simple solution. 

I haven't explored beyond the security aspect as a data analyst. I haven't noticed any shortcomings so far. 

I've been using the solution for more than a year now. 

There are different modules, and I haven't activated all yet, however, the stability is okay. I would rate it seven out of ten. If we run into issues, there are materials they provide and online support. You can even call them. 

The solution is deployed to one location. It's deployed across the entire environment. 

The level of scalability depends on the license you have. You can expand or reduce it based on the environment. It does cost more money to scale, however.

I would rate scalability seven out of ten. 

Support is quite responsive. They also offer 24/7 support services. 

Positive

I previously used Palo Alto XDR. 

I also used an email solution whose name I can't recall. You could check emails flowing into or out of your environment.

I wasn't involved in the deployment; the solution was set up when I arrived. 

That said, I did go through some setup videos, and the process does not look difficult. They provide the steps for every aspect. There's also always support you can reach out to if you have questions. 

There may be some maintenance required in terms of upgrading. When you upgrade the version, you may need to upgrade your sensors on the endpoints. However, Splunk is quite compatible with other devices, so it's not difficult. In our company, the administrators handle maintenance. 

I haven't witnessed an ROI in terms of how I'm using the tool. 

It's mostly for EDR. You can cover servers as well; however, that requires additional licenses. Pricing is based on usage. As an EDR specialist, I interact with the tools and perform investigations. I don't deal with licensing directly.

This is quite new to me. I've only recently started working with Splunk. I used to work in EDR. It took me two to three months to understand the internal architecture of the organization, and based on that, I can use Splunk for all kinds of searches. So, how long it takes to realize the benefits of Splunk depends on the person and the complexity of the environment. 

I did not evaluate other options. I adopted this tool when I joined my current organization. 

We're a Splunk customer. 

To those considering just going with the cheapest solution, it depends on your level of comfort with support. If you have a cheaper tool, the support would be addressed. With Splunk, that's the difference - their support response. If you have a tool with a good license, you will be able to get immediate help if there's any vulnerability.

I'd rate the solution eight out of ten. 

I'd advise others to take time to learn the solution and develop skills. It's all about DSL queries. If you are off on queries, it won't give you any results. You need to be accurate with your SQL commands.

We have many use cases for firewall logs in our system. We collect logs from these firewalls and customize our use cases.

The triad is one of the best features. The product has a good security posture. It provides many customizations.

The glass table feature does not perform as expected. It must be improved.

I have been using the solution for seven years.

The tool is stable. I rate the stability a seven or eight out of ten.

I rate the product's scalability an eight out of ten.

If something doesn't work, we reach out to the support team. The support provided by the team is great. The support is part of the entitlements in the license we buy.

Positive

I'm using Microsoft Sentinel. It is a cloud-native tool. Compared to Splunk Enterprise Security, Microsoft Sentinel is easier to handle. We use Splunk Enterprise Security because we have to manage a big infrastructure and may have many security vulnerabilities. The cybersecurity team decided to use Splunk Enterprise Security. The volume of data is high, so it is easier to manage it in Splunk.

The initial deployment was complex. If we need to customize the solution, we need one to four weeks to get all the data, manage the license, and calculate the resources.

The solution is costly. The cost is calculated based on the volume of data ingested per day.

It is not complicated to monitor multiple cloud environments using Splunk. It is one of the best solutions. The multiple cloud integration is open source. It's really helpful to monitor the structure and user authentication. I would definitely suggest it to people.

It's feasible to achieve visibility into multiple environments using the product. The cloud solution is recommendable. The on-premise product is tedious to manage, but it will be easier if we have a good resource to take care of the administration as an architect.

The tool has threat-detection capabilities. There are some limitations. We have a set of rules and patterns where we collect the tagging and the data we want to alert. It would have been better if detection and threat analysis recommendations were available out of the box. Though the solution keeps updating with the market demands, I still feel that the feature needs to be more reactive.

The product has inbuilt use cases for analyzing malicious activities and detecting breaches. It helps us run our alerts to catch malicious actions like brute force attacks or user-related authentication challenges. Splunk Enterprise Security has helped us reduce our alert volume. It has many automations and integrations. The SOAR tool detects and automatically manages repetitive and generic alerts proactively.

Splunk Enterprise Security helps us speed up our security investigations. It's at the top of its game. The tool is proactive and helps us take action before something happens. It has reduced our security threats. It is saving us hours of investigation. If you have a big data source, then I would recommend Splunk Enterprise Security. It will be easy for you to manage the data load. If you do not have a high data volume, you can look for other solutions like Sumo Logic.

My experience with the solution is really good. It has the capability to analyze the platform and take care of vulnerabilities. There is scope for improvement. We have a huge data volume of 2 TB per day. Our platform needs a solution like Splunk Enterprise Security to maintain the data volume and filter out our security vulnerability logs.

Overall, I rate the product a nine out of ten.

Our SOC uses the solution to monitor our corporate and franchise environments.

Risk-based alerting is the most valuable feature. It really allows me to drive down the alert count and the alert fatigue for my analysts to make the alerts they see more valuable and actionable. The way that alerts are handled is better in Splunk. SPL is easier in Splunk. The UI of Splunk makes it easier for our analysts to move around and see what they need to see.

There are a lot of areas that are currently being improved that I want to be improved. Features related to content management must be improved. The product is adding more drill-downs.

When the tool was originally set up, things were not configured properly due to the rapid deadlines for installing everything. Now, we have to go back and recover a lot of things that aren't properly configured.

I have been using the solution for approximately four years.

I haven't seen any issues with stability. Most of the stability issues I've seen have actually been on the on-prem hardware.

We have no issues at all with scalability. The tool has high scalability and usability. The size of our environment is relatively large since it is an enterprise solution. We have around 5000 users and a franchise base.

I have never had an issue with Splunk’s support team. Every time I ask a question, I usually receive really quick responses. We are in the middle of a migration, and the engineers helping us migrate to Splunk Cloud have been fantastic every step of the way. They provide really rapid and complete answers when we ask questions.

Positive

I use LogRhythm a lot. I worked for an MSSP, so I have seen several products. So far, Splunk has been my favorite.

We have definitely seen an ROI on the solution. Any security tool has a fantastic ROI. A lot of companies don't like to budget for security until there's an incident or something goes terribly, terribly wrong. Just having that SIEM and having eyes on potential security issues is an ROI.

We are behind a few versions. So I hope that as we upgrade, I get more ideas for what I'd like to improve. We're still in the process of moving to the cloud.

The product has improved our organization's business resilience. The right tools are available to our analysts within the product, and we use them daily. It has drastically driven down our time to remediate, which is huge for us. It's huge for any company. We don't want four hours to find out that something has gone terribly, terribly wrong. Finding such issues before they turn into full-blown security incidents has been our biggest impact.

Splunk Enterprise Security empowers our staff. It is so user-friendly. It allows our analysts at every level to learn the tool and learn more about security through the tool. I progressed from level one. Now, I'm a content developer for enterprise security. The usability of Splunk is the best on the market. The solution has helped reduce our mean time to resolve.

As we add new features and applications into Splunk, time to value is pretty quick on most things. As long as we have someone that's willing to go through the effort to configure, the time to value is rapid. Adding applications to Splunk is a seamless experience. The UI of Splunk makes life so much easier. Some of my experience is based on technical debt in the organizations I worked with. I would probably rate the tool a ten if we didn't have so much technical debt.

By attending Splunk conferences, I get to learn about all the new tools and how to implement them. I use it for RBA and Machine Learning Toolkit. I develop content for our company. I am here to learn how to implement RBA and Machine Learning Toolkit better to reduce alert fatigue for my analysts.

Overall, I rate the product an eight out of ten.

Our customers utilize Splunk Enterprise Security for either their cybersecurity program or their data warehouse program.

Splunk Enterprise Security's threat detection capabilities are effective in assisting organizations to uncover unknown threats and identify anonymous user behavior. However, this effectiveness is dependent on using the UBA modules and having the proper infrastructure in place.

MITRE ATT&CK is the framework that we use to detect and track well-known threats. When there are well-known threats, we can utilize the MITRE ATT&CK to identify any anomalies.

Splunk Enterprise Security has its own routine and process defined for analyzing malicious activities and detecting breaches. Mainly, we baseline the client's business process and day-to-day activity and then use it to detect malicious activity through various scenarios.

Splunk Enterprise Security assists us in detecting threats more quickly. We have an abundance of unrelated and meaningless data from the raw logs, and the solution aids us in organizing and correlating this data so that we can extract meaningful events and take appropriate action. This is the primary objective for the majority of our clients. 

In most cases, we provide monitoring and intelligence to our customers based on how they use the solution. This allows other technical teams, such as PC, system support, and other tech units, to take appropriate actions. Our main role is to provide them with alerts and use case scenarios, while the detection and actions are primarily related to other aspects.

When we initially implement Splunk Enterprise Security, there are many alerts and false positives. However, with time, we are able to align our configuration with the client's requirements and do more baselining, reducing such issues.

Splunk Enterprise Security helps to expedite security investigations. Without a security solution, our security team is unable to identify threats because the log and auditing data are unrelated and uncategorized. Consequently, we cannot access them promptly. Therefore, having a solution like Splunk Enterprise Security is crucial for our cybersecurity program. For certain clients' needs, we prefer using open-source applications like ELK and ESK. However, if they opt for an enterprise and commercial product, Splunk is among the top three choices.

The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge.

The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex. Simplifying this process would assist security officers in assessing threats and using the system more efficiently.

I would appreciate it if Splunk could add the feature of importing and exporting from web servers and third-party devices during project and process development. This addition would greatly enhance the value of the solution making the maintenance for the security officer easier. 

I have been using Splunk Enterprise Security for six years.

I rate the stability of Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security can be easily scaled once it has been installed and deployed.

Cyber threat levels are increasing every day, especially during the pandemic when most employees needed remote access to their business services. As a result, many organizations experienced a surge in attacks and required a resilient SIEM and cybersecurity solution.

I have used ELK, ESK, QRadar, Graylog, and LogRhythm in the past. One of Splunk's strengths over its competitors is its dedicated DSS called SPL.

The drawback of Splunk Enterprise Security is that upon initial installation, we need to do a lot of customization in order to have an effective cybersecurity program and deliver quality service to the client.

The initial setup is straightforward, but we need to make some configurations afterward that can be a bit complex. The deployment time depends on the size, but it usually takes several months to ensure stability and requires two SIEM engineers.

Splunk Enterprise Security is hardly affordable for most of our clients, causing many of them to resort to using open source solutions instead.

In addition to the licensing fee, there is also a support and maintenance charge.

I would rate Splunk Enterprise Security an eight out of ten due to its high total cost of ownership, difficulties in maintenance, and the complexity of configuration immediately after deployment. 

Splunk Enterprise Security may not be cost-effective for small and even some medium-sized companies. While each organization has different requirements, we do recommend Splunk for medium and large organizations.

Organizations should take into account the complexity of their environment. For instance, if they have a purely vendor-based environment for their network security appliance, it may be easier for them to handle security, fabric, and architecture requirements. However, if they operate in a multi-vendor and mixed environment, they need to conduct more research on how to integrate various components. Often, they rush into negotiating their cybersecurity program without sufficient research, leading to potential problems for clients.

The primary use case is security and data analytics. In general, we manage and maintain it for our customers.

Application-wise, it's good. Searching and reporting of data analytics is also fine. The dashboard presentations are also a good feature. Overall, its functionality is great and that's why we use it.

I would like additional support for custom add-ons, as well as cloud integration. Right now we have concerns because we have to customize applications for direct integration. But on-prem, it is all functional. We have to build it on our own. Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported.

I have been using Splunk Enterprise Security for over two years. I received Splunk certification six years ago.

The stability of the functionality is good, but there are still bugs that keep hindering things. I am waiting but they are there and that is quite common. I think they have not yet been resolved from the older versions. The stability is a seven-plus out of 10.

It's scalable for all environments. Splunk Cloud can be scaled to a small or medium company, depending on their inputs or log resources. Businesses at the high end of medium-sized, and large companies, can go with the on-prem solution.

The technical support is good. 

However, there is a lot of delay nowadays. The last time we raised a case, it took quite a long for them to come back with their first response. That's not for a P1 or P2, but if it is a P3, they don't respond at the earliest. When they respond, it is quite late and we have to ask again. The first response is never an answer. It's always a query.

Still, the people I have worked with there are all an eight-plus out of 10.

Positive

It can be deployed on-prem or in the cloud. With the latter, it is Splunk's own cloud. 

The deployment of the solution is straightforward, but there is a lot of engineering activity involved in designing the architecture. Architecture-wise, it is fine, and bringing things together is not that tough, but maintaining and managing it is a tough job because we don't work in a normal environment. We work on something that is very defined to the network. That means we have to build everything from scratch and deploy it.

The implementation strategy depends on how the customer wants things done. But in general, I go through research and then develop and design. I ask the client what sort of environment is flexible or cost-effective for them. It's done in stages. It's a matter of understanding the infrastructure and then implementing,  or designing and handing it over to them.

If there are 1,000 log sources, it takes six months to a year to deploy, depending on how the customer is supporting the process.

Every on-prem solution involves maintenance, including keeping things upgraded, whereas Splunk Cloud is managed by the vendor. The number of people involved in on-prem maintenance depends on the size of the environment and how long our update window is. For example, if we have a green zone at midnight for three hours, and we want to upgrade at least 20 to 30 servers, it will take eight to 10 people working in parallel. But for a very small environment of 10 servers, it will take four people to manage it, or if we have a large window, even three people can do it.

We do it ourselves.

The pricing depends on the bandwidth of an organization and is good compared to some SIEM tools. IBM, for example, is quite costly. But Microsoft Sentinel is notably cheaper. I have seen a lot of organizations running on Sentinel.

IBM is for quite large organizations that don't want to have their data on the cloud. Splunk has both on-prem and cloud modules and, cost-wise, Splunk is better. Internally, we cannot push everything to the cloud. That would become too expensive for us. So we have it sitting in our data center and that is good.

I have worked with a number of other solutions including RSA enVision, IBM QRadar, as well as Microsoft, McAfee, and LogRhythm. 

If we want to build an add-on feature in Splunk, we have to build an application and then integrate it. But in other applications, there is a direct integration that only requires partial development and it will start functioning.

Also, there is something called correlation in a lot of other tools. Splunk also has it but it consumes a lot of memory. If we tag all the data, it is better, but tagging consumes storage and it makes it a little tough for us to run a search. 

If we want to work towards SOAR, if there were a little bit more integration so that our customers could taste SOAR, they could then move to Splunk Phantom or other tools. Right now, people are not using automation. Everything is done manually. Hopefully, that's the next goal. Security operations will surely use SOAR and, once they start tasting it, they'll get to know how it works. They can design playbooks and start using it. That's an additional feature I would like Splunk to bring in. 

Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great. It also has something called "stats" and it runs much faster. Within minutes, it gives the data from a very large set. Spunk's dashboards are also a very good thing. No other application or tool is as versatile in presenting the dashboard. It all comes down to presentation. It may take a little bit of engineering work to develop and customize, to parse the fields and fetch the data, but the presentation is good.

We use it alongside some endpoints to detect log ins outside of scheduled work hours. If someone logs in outside of that range, we generate an alert for the security team to review.

I can use the MITRE ATT&CK framework. With the data that I ingest into ES, the MITRE app gives me visibility into what I'm covering from the techniques and tactics in the framework, which is pretty cool and convenient.

At the end of the day, it's the platform receiving the logs from all the other apps. You're watching all the information in just one place, so it's basically the core tool in the company. So, it is really important that Splunk Enterprise Security provides end-to-end visibility into our environment. 

In a way, Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. However, there are a few tools that are hard to normalize or use data models. And some of the add-ons don't work properly sometimes. Not all of them, but a few.

Splunk Enterprise Security helped us reduce our alert volume by 30%.

Moreover, Splunk Enterprise Security provides us with the relevant context to help guide our investigations. And it's important because we need to set up the basis of the context of what we want to see.

Splunk Enterprise Security helped improve my organization's business resilience. It's a pretty powerful tool. We can monitor and ingest all the data, only if it's not encrypted.

Splunk platform helps consolidate networking, security, and IT observability tools. We watch all that information on just one platform, so that's pretty cool. 

The risk-based alerting (RBA) is one of the valuable features. It's a really cool concept to explain and see the impact that you're having on the company.

Splunk Enterprise Security's ability to find security events across different environments, whether in the cloud, on-premise, or hybrid, is really good. Because it gives me a lot of content out of the box, the only thing I need to do is ingest the data, and I'm good to go.

I would like to see the asset and identity lookups be more automatic and less manual. I have to search everything and type it. So it should be more user-friendly.

I have been using it for six months. 

The stability is really good. It's very accessible.

Most of the time, some docs are not available. When you see the documents, they add a link, we go to the link but it's not available. 

Also, the customer service and support have a lot of old questions that are not updated.

Neutral

It's pretty easy. The first thing you need to do is the onboarding phase. After that, you need to review that the logs that you're receiving are good. And after that, you need to start working with the correlation searches and setting up everything.

The deployment was done internally. 

We have definitely seen an ROI. It is worth it!

The pricing is always going to be different because it depends on the project you are working on and how much data you are going to ingest. But it's definitely worth it.

We directly chose Splunk to begin with.

Overall, I would rate it a nine out of ten. There are a few things that need to be more automatic because there's still a lot of manual work to use it.

We usually use the solution for the same functionality, which includes setting up alerting and making notables. We also use it for the workflow from ingestion, alerting, and response.

Splunk Enterprise Security serves as our SIEM, providing security alerts, operational alerts, and even some logging that we probably need to check in on from time to time. It basically serves as an alerting platform for our enterprise.

The solution's most valuable feature is the criticality of alerts. Some alerts can be noise, and others will be more high-level and warrant a higher-level response than others.

The solution's automation could be improved. It would be better if we could automate ingesting and alerting for low-level events.

I have been using Splunk Enterprise Security for seven to ten years.

I rate the solution’s stability a nine out of ten.

For the times I've had to set up incidents from critical to lower ones, the technical support team has been fairly responsive. Sometimes, the support team has had a two to three-hour turnaround time for critical incidents. Usually, you would like to get to someone sooner rather than later for critical incidents.

Positive

I've previously used other SIEM tools like ArcSight, QRadar, and Elastic Security.

We have seen a return on investment with the solution.

The solution helps us see what's actually happening in our environment. Some things we might not expect at times, and others we do expect. The tool helps us respond based on what we see from our logs. I've seen and thoroughly liked some AI, automation, and single-pane-of-glass updates coming to the solution.

It is very important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. You can't respond to what you can't see was ingested. So, the visibility provided by the tool into our logs and alerting environment is critical.

From an ingestion point of view, the solution alerts you to what you'd tell it to. It's pretty agnostic log-wise.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

It has helped reduce our alert volume. You're getting the same alerts. You can see what's noise, what's actionable, and what's not as actionable.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. We see what's coming into the environment, including specific logs that we wouldn't expect as much. All of that gets filtered into alert data, potentially operational data, and sometimes even billing data, so we can adjust and move forward with that in the environment.

Splunk Enterprise Security helped reduce our mean time to resolve by somewhere between 20% to 35%.

Splunk Enterprise Security has helped improve our organization's business resilience for some ingestion purposes.

The unified platform helps consolidate networking, security, and IT observability tools. Splunk is pretty log-agnostic. All of your logs, tools, and sometimes even dashboards can get ingested into one specific tool. That way, you have a single platform where you can view all those logs and respond based on that data.

Overall, I rate the solution a nine out of ten.