Splunk Enterprise Security Reviews

I have worked in a couple of areas of Splunk. Initially, I was part of a monitoring team that used it for security information. I used to monitor security alerts which we used to get on Splunk, which was based on the use cases and we set up specific rules for it. Currently, I am part of the administration of Splunk. Now I onboard different log sources to Splunk. We pass over the logs so that it can be used for the security team.

It helps with security and making sure our infrastructure is compliant. It also allows reporting to be in one centralized location. We can monitor the security logs effectively. It really helps as a cybersecurity element for the company infrastructure to protect us from attacks.

It is quite reliable in terms of data. We have a good amount of licenses currently and find it to be very flexible. It can handle and pull up any amount of data.

Splunk is very fast and user-friendly as well. The UI and design is user friendly. It is easy to understand. 

We can do a lot of things on Splunk. We can integrate a lot of other applications on Splunk. And that can be used for day-to-day security operations. It is easy to use, easy to implement, and it is fast. It is reliable.

Our organization monitors multiple cloud environments. We monitor all the infrastructure and cloud environments of clients.

It is easy to monitor multiple cloud environments with Splunk. You have to get clients onboarded to Splunk first, and then the monitoring part comes last. We have a couple of things that have to be done before the security team starts monitoring. For example, we install the agents and set up the hosting. We get the data from the host, we pass it. It is quite a lengthy process. It is easy, however, we have to do it very carefully and cautiously.

Splunk Enterprise Security provides visibility into different environments.

The solution's insider threat detection capabilities for helping our organization find unknown threats or anomalies in behavior are good. We have multiple security frameworks. For example, we have micro frameworks. There are different sets of rules. We set it. What Splunk does internally is just match the incoming logs. Based on the rules that we have set, it will match with the incoming logs. If it matches, then it will generate alerts for the security team. Based on that, we can identify if there is a potential threat trying to get into the company or internal infrastructure. 

The actionable intelligence provided in Splunk Enterprise Security is good. 

It will help us to automate things and can handle certain items on its own. It will just investigate, remediate, and close the necessary alert. If it is beyond Splunk's capability, then an investigation team will be involved in it. 

I have used the threat topology and attack framework feature, however, now I am more of an administrator.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. There are a couple of other tools as well, which do the same thing. However, with Splunk, it's very easy to work with the dashboard and do search queries. You can easily look through the logs via Splunk UI.

The solution helped reduce our alert volume. It will just minimize the false alerts, and just post positive alerts. It's likely reduced false alerts by 60%. A lot is automated now and that helps cut down on manual work.

The solution has helped to speed up our security investigations. Once again, the automation will speed up the process of investigation. It saves a lot of time for analysts as it allows them to see the initial data. If a team has multiple alerts, it will take them time to go through and check everything. However, Splunk does the initial investigation for analysts and will escalate to analysts as needed. It might have reduced security investigations by 80% compared to earlier versions. 

When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.

I've been using the solution for three years now. 

It is a stable product.

There are two types of users: the administrators and then the users where the logs are coming from. We have about ten to 15 administrators working directly with Splunk. Overall, there may be more than 1,000 end users we get logs from.

The solution is scalable. In terms of data, it's very flexible. 

Technical support is good.

Positive

I've used other solutions in the past. We previously used
ArcSight Enterprise Security Manager (ESM). It was older and very slow. Comparatively, Splunk is very fast and it has a better UI.

The initial setup was easy. It was not complex. I didn't do the implementation on my own. The deployment times vary. There are many moving parts, such as approvals that need to be taken into consideration. 

We get logs from various sources from various clients.

It does require a bit of maintenance. It requires, for example, server upgrades and patching. 

I can't comment on pricing. I don't take care of that aspect. 

I'm a customer and end-user.

I'd recommend the solution to others and invite them to test the service first on the infrastructure they have. It's a very valuable product to have.

I'd rate the solution nine out of ten.

I am the branch chief. I use Splunk Enterprise Security depending on how swamped the team is. I use it for anything from basic searches to DDoS attacks, which is a big thing right now. So, DDoS attacks and phishing emails are a lot of what I am using it for.

We had FireEye before and then we went to CrowdStrike. Splunk has definitely helped to have everything into the tool. It is a lot easier to complete the tickets. It saves, on average, a couple of hours a day. We just go to Splunk and then provide data and work with different people on the tickets, so it saves hours each day. We have been able to allocate these hours to other projects or things that are more of a priority. We are able to do different projects that were on the back burner. We can put those hours towards other things.

Splunk has improved our organization’s business resilience. We are able to give leadership updates through dashboards versus the actual metadata. It is easier for them to understand and provide leadership.

Splunk’s ability to predict, identify, and solve problems in real-time is very good. It is proven. Every couple of weeks, it catches some of the things that our SOC team did not catch and provides alerts, so its real-time capabilities are very good.

Our team has overall benefited from Splunk. We had FireEye before, which was not that good. We are able to benefit from Splunk not only in terms of instant response. We also have other teams doing vulnerability management using the Prisma systems. It is important that Splunk provides end-to-end visibility into our native environment. We use it for Prisma and instant response. Without Splunk, we would not be able to do some of the things that we need to do unless we went to individual tools, and we do not have the resources for that.

Exporting is a good feature. It helps me out when I have to do reports. I do a lot of exporting and crunching of the numbers. Dashboards are okay for showing to the leadership, but for doing statistics and updating tickets, the export feature is very beneficial for me.

They offer training. That is a big part of it. If you do not understand the tool, they are able to provide everything that you need, which helps the business. When you have learned a tool, you are able to speed up the process meantime, so you are not wasting a lot of man-hours trying to figure things out. 

I do not have any areas that can be improved. It works as intended for us, and we are getting everything that we need out of it. If anything, its initial setup can be improved a bit. 

In terms of additional features, I am still learning SOAR and everything else, so I do not have any feature requirements at this time, but as we do these SOAR operations, there might be some additional features that we will need.

I have been using Splunk Enterprise Security since 2016.

It is very good as long as you have the scope of how many servers, processors, and other things you need. There was a learning curve of making sure our servers were beefy enough to handle the data. We had four terabytes of data coming in every day. We were maxing out our systems a little bit, so we beefed that up, and we have had no issues since. 

Its scalability is easy. On-prem was very easy, and on the cloud, you have to learn and adapt a little bit, but scalability is perfect. 

I only reached out to our Splunk contacts, but my team reached out to Splunk's support team. I have not had any issues where they told me that they did not get the support they needed. They might take time to figure out what the issue is, but overall, I would rate their support a ten out of ten. 

Positive

We used FireEye, which was our primary one, and then we had CrowdStrike. Splunk has definitely been wonderful for us. The biggest reason for switching was integration. It is very easy to get all the tools fed into Splunk. They also had a cloud version, which was another reason. We are doing a hybrid setup, so cost savings was also a big factor.

I was involved in its deployment. I am the system owner of it. I am in charge of it, so I oversaw the project deployment. There is a learning curve with the hybrid setup with the cloud and on-prem, but overall, I am pretty satisfied with it.

We have an on-prem and a cloud environment depending on the platforms we are using in the system, so we have both environments. The challenging part was getting everything set up and fed into Splunk, but once it is set up, there is no difference in using it on-prem or on the cloud. We do not notice any real difference in it. 

The initial setup could be improved a little bit. It depends on your local team, firewalls, and other things like that, so there was a learning curve for the teams to learn how to set it up. That part could be improved, but once you go through it, it is not an issue. 

We had the Splunk team, and they did wherever they needed to get everything deployed. Our experience with them was good. We have worked with Splunk for years now. Their support has been very beneficial. If I have a question, they jump right on and let me know. They walk me through it and give me updates, so I am pretty happy with Splunk.

We have seen an ROI in terms of the mean time to resolution and man-hours. We are able to allocate those hours to other things. We have not got there yet in terms of the upfront costs, but we will get there over time.

When it comes to the time to value, we are getting there. We have not got there yet, but over time, we will get to the time to value.

Its price is fair. Like with anything else, if you go into the cloud, different providers cost more, and you are able to throttle back or throttle up. The cost is comparable with anything else.

We evaluated other options. We had to evaluate the pros and cons in terms of the cost and the capabilities of each tool. A lot of that went into the proof of concept. We did our due diligence and determined that Splunk was the best fit for us.

I would rate Splunk Enterprise Security a ten out of ten. It gives us everything we need, and its capabilities keep on improving, so it is getting better. 

We use it to provide both operational and security dashboards based on our clients' equipment. We use it for infra monitoring and threat analysis.

We have multiple rules for analyzing malicious activities and detecting breaches. We get the notable events from the logs and from there we drill down into the cause. We correlate that with the framework and get a score. Based on that, we proceed to the investigation.

It gives us a complete correlation between data processes and security threats. It has threat analysis and the MITRE ATT&CK framework. From a SOC perspective, it uses multiple components or frameworks and, in that way, is very useful, providing us with a lot of information for our clients. They don't want multiple teams dealing with security and malware, et cetera. Splunk Enterprise Security gives us everything in one place.

We get all the real-time logs and, based on the configuration, it's pretty easy to use to find threats. It has helped to speed up our security investigations. Before we went with Splunk Enterprise Security we had limited information but now we have threat intelligence to enhance things.

We are now handling multiple customers globally. We are able to build custom rules based on customer requirements and the applications and data they are using. It is enhancing the security of each customer's infrastructure. We are able to provide weekly and monthly reports and, based on that, our customers are honing their firewalls and other security infrastructure. Splunk Enterprise Security is very helpful in improving the security of our clients.

It gives us good visibility into multiple environments, including cloud, on-premises, and hybrid; irrespective of platform.

The UI is also very friendly. You don't have to work very hard to find things.

One issue is that we are getting a lot of false positives. We are trying to reduce them by customizing the default rules, changing thresholds, and using white-listing and black-listing. It's getting better and better as a result. But they need to build components that would reduce the false positives. 

Also, we have a lot of security feed providers. If there was some kind of management tool for that, it would be a great tool to have.

I have been working with Splunk for about four and a half years.

I started working with Splunk Enterprise Security at version 6 and now we are up to 9 and it needs more resources. But it's okay because we have a lot of functionality now. It's better than it was earlier. I would rate the stability at nine out of 10.

Splunk on the cloud is scalable, a 10 out of 10.

If someone is doing the deployment for the first time, it will be a little complex. The installation is straightforward, but for the configuration, you need to follow the documentation and understand it. That is a little difficult the first time if you are doing it on your own. If you have anyone with experience who can explain the configuration, the second time it will be straightforward.

The solution requires maintenance but not much, mostly when there are upgrades 

Most of the companies we work with are keen on budgeting. They can't spend much on security. Their problem is with the cost. They would like to have it but the problem is the budget. If they got a taste of Splunk Enterprise Security and its benefits, they might be able to cope better. A 15-day trial doesn't give them much hands-on or benefit from the tool. From a security perspective, they would need to have it for six months or a year to get a sense of it.

We try to explain, to someone who is concerned about the cost, the functionality and how powerful the application is. Security people know it's better to have a better solution, but management has to look at the budget.

We tried some other solutions, but they didn't work like Splunk. We found that Splunk is the best one.

We work on multiple cloud environments including AWS, Azure, GCP, and most of the popular clouds. We have built our own combined app to monitor most of the cloud service providers. We have our own solution for cloud security monitoring.

My advice is that for big firms, because it has better detection and security, Splunk Enterprise Security is a very good tool. For big companies, good security is important, especially if they have a global market.

I don't see any other software having as much functionality and different ways to investigate security.

Our technical teams are demoing various enterprise tools to develop experience and knowledge so we can better serve our clients. In addition to Splunk, we are evaluating IBM QRadar and one other solution. One of our customers is asking about the Splunk MSP model.

Splunk allows us to customize processing and dashboards, which helps us take care of our customers' needs. Splunk is costly, but it's better than other products. It speeds up security investigations. It helps us detect threats faster. Everything is faster. The only part that's lagging is the management. Otherwise, Splunk is good. It took about a month to realize the solution's benefits. 

We get few alerts except for the other solutions we have integrated with Splunk. We'll monitor those alerts and support their customers, but we don't have any other mechanisms for databases or something outside of the infrastructure. 

Splunk enables us to customize dashboards and queries, and we can add multiple admin users. We only use the essential parts, including the MITRE ATT&CK framework capabilities. Organizations share threat information under the MITRE ATT&CK framework. We do threat hunting and marketing based on that.

We do manual threat hunting. We get all the IP addresses and check the threat databases to determine if it's malicious. 

The algorithms and alerts could be improved. I would also like to pre-build use cases. We need to create the algorithm based on our use cases. 

The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management feature. 

We've also had problems integrating the solution. We get multiple errors, like search log errors, UI errors, etc., and performance issues. It's fine with basic content, but if we're dealing with multiple data sources and 30 GB of data, it cannot handle the load. Our customer is indexing around 10 GB of data daily, and I can't search the log without getting errors. 

Splunk Enterprise is stable. 

Splunk Enterprise is highly scalable. 

We haven't had to contact Splunk support because we can find all the answers we need online. 

We also use IBM QRadar.

Deploying Splunk is straightforward. We had no issues. 

Splunk is more expensive than most solutions, but it offers lots of value. If a customer wants the cheapest solution, we'll use that.

I rate Splunk Enterprise Security an eight out of ten. I would give it a ten if it had built-in threat management. 

Splunk helps us to be proactive and it integrates with many devices. It offers visibility from many different levels, areas, zones, and devices rather than from a single system. We can use this intelligence to create correlations, system solutions, etc. Splunk reduces the risk factors and helps us in many ways beyond just collecting logs. Though Splunk is costly, it has many features like threat intelligence which is very useful. It helps us be proactive about reducing risks.

Splunk incorporates a lot of elements that help to reduce security risks. For it to reach certain compliance, we need to have some security insight. Splunk is a very good SIEM, it’s a top solution, but the best feature is its cost of visibility. We have all the most important features to detect vulnerabilities or risks.

Customers cannot manage or maintain the servers on the cloud since they are all deployed. Since there are platforms, they can become a little bit hectic. One of my other observations is that the applications that are available on the store are not updated as much as those available on on-prem.

Moreover, I have had issues with the Splunk store. I believe that the developers in the Splunk store are external and I can see that the level of maturity of these developers ranges between low and medium. I have never seen the maturity go up higher. The applications are not maintained regularly and it can cause issues in the visibility dashboard. I would suggest to Splunk's tech team to keep the store private, so that Splunk creates its own applications without the interference of external developers.

I have concerns about the architecture as well since I can see it is not very well defined. However, this is not the case with on-prem. We were able to manage and do whatever we wanted on the server level without opening a case or anything else. Moreover, the applications are updated every six months.

Splunk is a stable solution.

Splunk is a scalable solution. I am also impressed with the integrity of the solution. It is very good at collecting logs.

To resolve issues in the Splunk platform, you need to wait in a queue and then open a ticket with the support team. I find it a bit time-consuming since it takes time to call tech support and get what you need.

I have used Wazuh. From my point of view, Wazuh is a simple and basic SIEM solution compared to Splunk in terms of features. I don’t see Wazuh as a competitor to Splunk. Wazuh relies greatly on human tactics. It is best suited for cloud environments and maybe smaller ones. I have issues with Wazuh’s stability as well because I have found scenarios where it was working for one instance and not for another. These issues might be because it is open-source.

Wazuh is not actively working on their platform. I opine that they need to integrate many components and have many aspects automated so that the solution does not depend on its users. I have found issues with the language of Wazuh as well. It requires a lot of resources and time to learn the language. These issues make me think that Splunk is better than Wazuh.

The initial setup process for Splunk was simple. The language used in Splunk is very easy to pick up and you can rely on any person using it to be able to learn it quickly. The language and picking up logs are easier with Splunk.

I implemented Splunk through a POC.

Splunk is costly but it’s worth it due to the high-end features.

I have worked with Wazuh and ManageEngine Endpoint Central.

I would rate Splunk Cloud a 6.5 out of 10, but plugged on time, I would give it 8.8 out of 10. The maintenance of Splunk is a bit difficult due to the time-consuming tech support.

I would recommend Splunk. I cannot compare Splunk with any other SIEM solution because I have worked with many different solutions and logarithms, like the ManageEngine Endpoint Central, and Wazuh. I have used Splunk for two years and I can see Splunk as really the best SIEM solution that can be used for work. I totally recommend it even though I gave some negative feedback, it's because I am coming from a product perspective. We have to also take into consideration the security perspective. I am not talking about only visibility in which they should take a lot of care, but the way the solution is handling and even manipulating the data. This is the most valuable thing.

I use Splunk Enterprise Security for threat hunting.

The end-to-end visibility provided in the dashboards is great for our needs.

Splunk Enterprise Security allows monitoring across multi-cloud, on-prem, and hybrid environments.

Splunk does a good job of ingesting and correlating data.

Splunk provides real-time monitoring.

 The framework's features, such as the MITRE ATT&CK framework, are great.

Our MTTR has improved with Splunk. It has improved our investigation time.

The most valuable features of Splunk Enterprise Security are the enterprise search bar and the dashboards.

The threat intelligence management feature would benefit from a broader range of APIs for enhanced integration. This would facilitate seamless connection with various threat intelligence platforms, as some currently are missing APIs, making integration difficult.

The high cost of Splunk Enterprise Security prevented us from using its full capabilities. 

I have been using Splunk Enterprise Security for one year.

Splunk Enterprise Security has been largely stable, experiencing only a few brief periods of downtime.

We use Splunk and Sentinel for different purposes mainly due to cost factors not because one is better. For example, we use Splunk more for network traffic.

The price of Splunk Enterprise Security fluctuates based on the customer, but I believe it's quite costly, especially for our clientele. Furthermore, to access the full range of features, it's exceedingly expensive to have comprehensive log data.

When evaluating SIM tools and considering the cheapest option, Splunk Enterprise Security might be worth considering, especially for larger organizations. While cost is a factor, Splunk offers significant value, and I recommend it over focusing solely on price.

I would rate Splunk Enterprise Security seven out of ten.

We use Splunk Enterprise Security for insider risk and security operations centers.

Splunk Enterprise Security primarily reduces our lead time for identifying risks and threats. Since a lot of the work is being outsourced or we depend on those new threat intelligence feeds, we're able to identify and triage them quicker. So, it leads to a quicker incident response.

The solution's most valuable feature is threat intelligence correlations. It's too hard to stay up-to-date on all the different data feeds yourself. So, having a tool that does it for you is very beneficial.

Splunk Enterprise Security has increased our alert volume because we now have new data to work with, and we're writing more alerts. We don't use the solution a lot for observability. Usually, our primary use case for Splunk Enterprise Security is cybersecurity.

It is extremely important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That's the primary reason we use it. We want the ability to do everything from one tool without having to trash back and forth and take that precious time.

Splunk Enterprise Security has helped reduce our mean time to resolve. We're at least twice as efficient with Splunk Enterprise Security at identifying risk, following up, tracing it throughout the chain, and resolving it. We still have various toolings, but over time, the goal is to nest everything into Splunk Enterprise Security to make it cohesive from end to end.

I'd love to see more integrations, which is one of the primary points of the key node with Splunk Enterprise Security. I would also like to see more admin capability to enable the health of Splunk Enterprise Security because, a lot of times, it's difficult to know when and why things are failing, especially for on-premises customers.

Splunk Cloud is a little clearer because it has more integrated support. For on-premises, it feels like sometimes you have to guess and then hope for the best. Troubleshooting some things related to Splunk Enterprise Security takes a lot of time.

I have been using Splunk Enterprise Security for five years.

The solution's clustering is great, but it could have easier containerization where it's more dynamic, and you can spin up and scale down as needed. Right now, Splunk is a very large expense for us as far as our cloud environment is concerned. Anything we can do to cut costs would be great.

Right now, we run the servers 24/7 and never change the size unless they're underpowered. We're spending a lot of money on off-hours to keep it alive, which is not ideal.

We've got a lot of experience on our team solving Splunk, but the few times we used Splunk's technical support, we found them to be very effective and efficient. Occasionally, we'll forget to respond to them, and they'll follow up with us, which is usually the opposite of what you see. So, I've got nothing but good things to say about Splunk support.

The solution's deployment was difficult because we were going through admin changes right as we were installing it. It took three admins over the course of five years to get it set up. I think if we had one dedicated admin from the start and kept them on the job until the job was done, we wouldn't have had nearly as much trouble.

We used a reseller to implement the solution.

We have seen a return on investment with the solution.

Splunk Enterprise Security is really strong, capable, and great at what it does. There are obvious areas of improvement, but it looks like Splunk has already identified them and is working on road maps to enhance SOAR integration and AI digital assistance for Splunk Enterprise Security. Once those are fully implemented, the product will further improve.

Overall, I rate the solution an eight out of ten.

I implement Splunk products in customer environments. I am not an end user. I implement the product on customers' cloud stack.

I have full experience in the implementation part. I know the end-to-end configurations in Splunk. I know how to configure it, index the data, and then how to use it to get some alerts.

Splunk Enterprise Security has improved our incident response time quite a bit. What we usually do in the customer environment is to configure it with their ticket management tools. It creates alerts and pushes the alerts to the ticket management tool so that their analysts are able to view the tickets and then do an instant investigation. It provides a good solution for instant response.

Splunk Enterprise Security has complete information about the entities and the users in the organization. In the case of any alert, we do not have to manually verify the computer name and its owner name. In the alert itself, Splunk Enterprise Security populates the necessary data that we need. It is a great feature of Splunk Enterprise Security.

We have created dashboards related to critical alerts. For example, we have a dashboard for the inbound and outbound traffic flow of firewalls. We use a few other products or IT systems to monitor the CPU and memory utilization. We are also able to integrate web applications, Kubernetes, Linux systems, Windows systems, etc. We integrate whatever data sources are available.

We monitor most of the cloud environments with Splunk Enterprise Security. We have different cloud providers such as AWS, Azure, and GCP. We have separate add-ons and apps for them. It is quite easy to integrate those. Third-party developers are also able to develop their apps and publish them at Splunkbase. We can utilize them for visualization of the data that we are interested in from different sources.

We configure most of the frameworks available inside Splunk Enterprise Security such as threat intelligence, identity management, and risk management. Whenever alerts are triggered, these frameworks do the correlation and give us visualization over the dashboards, which improves the incident response time.

There is something that we can configure to reduce false positives. If any alert is triggered, it checks against various threat IOCs, such as IPs, URLs, domains, emails, file hashes, etc. If it matches any of the threats, we can take it forward.

Splunk Enterprise Security has helped speed up our security investigations.

They can also improve their capability of ingesting data from different IoT sources. It supports IoT data, but they can add some additional apps or add-ons to easily integrate the IoT devices.

I have been using Splunk Enterprise Security for the past two years.

It is a stable product as compared to other premium solutions. I do work with other premium solutions. Splunk Enterprise security is a more stable product.

It scales very easily. We can have as much data as we want. We have customers who are ingesting more than 400 TB of data per day, so it does not matter how much data you have.

We have customers that have the Splunk application deployed in a multi-cluster environment.

Their support is good, but they can have a customization team to help us with any customizations. I would rate them an eight out of ten.

Positive

This is my first tool.

We have deployed it on-prem and on the cloud. Its deployment is straightforward. Any Splunk engineer can do it.

It requires maintenance in terms of upgrades. Apart from that, it does not need any maintenance. There is a one-hour or two-hour maintenance window to upgrade the apps.

I would recommend Splunk Enterprise Security. Its frameworks make it stand out among other tools. 

It is a great solution with multiple in-built frameworks. With other solutions, there can be limitations in configuring different frameworks within the same solution.

Overall, I would rate Splunk Enterprise Security a seven out of ten.