Splunk Enterprise Security Reviews

We use Splunk to monitor our private cloud, data center, and other applications.

I don't like Splunk very much and find that it does not have many useful features.

Splunk works based on parsing log files.

I don't like the pipeline-organized programming interface.

I find the graphical options really limited and you don't have enough control over how to display the data that you want to see.

I find that the performance really varies. Sometimes, the platform doesn't respond in time. It takes a really long time to produce any results. For example, if you want to display a graph and put information out, it can become unresponsive. Perhaps you have a website and you want to show the data, there's a template for that, or it has a configuration to display your graphics, and sometimes it just doesn't show any data. This is because the system is unresponsive. There may be too much data that it has to look through. Sometimes, it responds with the fact that there is too much data to parse, and then it just doesn't give you anything. The basic problem is that every time you do a refresh, it tries to redo all of the queries for the full dataset.

Fixing Splunk would require a redesign. The basic way the present the graphs is pipeline-based parsing of log files, and it's more of a problem than it is helpful. Sometimes, you have to perform a lot of tricks to get the data in a format that you can parse.

You cannot really use global variables and you can't easily define a constant to use later. These things make it not as easy to use.

I have been using Splunk for approximately one year.

I use Splunk at least a couple of times a week.

I'm not sure about scalability but to my thinking, it's not very scalable. I know that it's probably expensive because it relies a lot on importing log files from all of the systems. One of the issues with respect to scalability is that there's never enough storage. Also, the more storage you have, the more systems you need to manage all the log files.

Splunk is open for all of the users in the company. We might have 1,000 IT personnel that could access it, although I'm not sure how many people actually use it. I estimate that there are perhaps 200 active users.

I have not been in contact with technical support from Splunk.

In this company, we did not previously use a different monitoring solution.

I was not involved in the initial setup.

We have a DevOps team that is implementing Splunk and they are responsible for it. For example, they take care of the licensing of the product.

We have a team at the company that completed the setup and deployment.

The other product that I've seen is Elastic, and I think that it would be a better choice than Splunk. This is something that I'm basing on performance, as well as the other features.

My understanding is that as a company, we are migrating to Azure. When this happens, Splunk will be decommissioned.

Overall, I don't think that this is a very good product and I don't recommend it.

I would rate this solution a five out of ten.

I'm a technical support engineer for Cortex XDR at the moment and in my company, we are selling the Cortex XDR solution to other companies. 

I also have experience with Splunk Enterprise Security and CrowdStrike too; we are using those products in my company. For Splunk Enterprise Security, I am using the Enterprise Security module and base Splunk for developing rules.

The deployment server is very good and is one of the best features of Splunk Enterprise Security for me; you can use that deployment server even for distributing any agents, upgrading automatically, and universal forwarders. Its search is very flexible, allowing you to search anything by typing a sentence.

Splunk Enterprise Security is a wonderful solution, however, the background configuration process could be better as the administration process is very complicated. As an analyst rather than a Splunk engineer, some background configurations might be easier.

I'm working with Splunk Enterprise Security for six months, however, I have been using Splunk for one year.

Splunk Enterprise Security is a very stable product; I have never been in trouble with any stability problems if you set it up correctly.

I would give support a seven out of ten as Splunk Enterprise Security's advanced support is very skillful, however, to reach that advanced support, first they send you some beginner-level support that mostly does not solve problems for me. That said, when they escalate it, it completely finds a solution.

Before Splunk Enterprise Security, I didn't use any other solution.

I did not set up the Splunk Enterprise Security; my admin colleagues from another department set it up for me.

I'm just using and revising the rules. I'm a Cortex admin, so I'm involved in the process for Cortex, not for Splunk Enterprise Security.

My company is a partner with Splunk Enterprise Security. As an engineer and layer two security analyst, I'm solving problems with Splunk Enterprise Security, editing rules on customers, reviewing alerts, and developing rules.

I'm not aware of the price of the tool. My company and other departments arange the licensing. 

On Splunk Enterprise Security, we imported from the content library, specifically from the content management page that contains many rules; we are importing rules from there, enabling rules, and editing them. I'm not a deep down administrator of Splunk Enterprise Security, so I'm not arranging the data models. I'm mostly editing the rules.

On a scale of one to ten, I rate Splunk Enterprise Security an eight out of ten.

We use the solution in our SOC to support SOAR. We use its alerting capabilities and integrate them with our SOAR platform. Additionally, we tie it in with cyber threat intelligence, cyber threat hunting, and adversary emulation tools to identify gaps in our environment and alert us to notable events.

The tool drastically reduces SOC overhead. Its integration with our tool suite is great and helps us correlate events. The solution is also a lot faster than our standalone instances. 

Splunk Enterprise Security helps address our customers' missions. We want to ensure that our environment is secure and safe and detects anomalies and threat actors as soon as possible. 

The solution helps my organization's ability to ingest and normalize data. It has also improved resilience.  

Enterprise Security is expensive. 

I have been working with the product for three years. 

Splunk Enterprise Security is very stable. 

The tool is very scalable. We can deploy agents seamlessly and get reports. 

We have had good success with customer support. We haven't had any issues contacting them and getting problems resolved. 

Splunk Enterprise Security's deployment is hit or miss. Recently, we got UBA. We were able to spin up an environment easily with Terraform. However, the recent upgrade caused many hiccups and slowdowns. We are working with support to resolve them. Some legacy code is choking the system and slowing us. 

We do market evaluation and continuous research every year to check for alternatives to our security tools. 

It seems like the tool is improving. It incorporates AI into the platform to streamline event identification processes. 

Splunk Enterprise Security does a good job. However, we need many analysts to correlate searches and populate data models, and some overheads are needed in any SOC environment. 

We have a lot of data to process from different sources. However, we have only limited data analysts. It takes time to find malicious threats or what we seek. 

No specific metrics are tracked, but we report this to our leadership weekly, focusing on continuous improvement. Regarding reducing the mean time to resolve, especially with our SOAR integration, we can swiftly address major issues by leveraging alerts to initiate tickets. This allows us to notify the teams and address issues immediately. 

I rate the overall product a ten out of ten. I don't think there is another alternative with similar capabilities. 

We mainly use the solution as a reseller. We give our users the latest version of the product. 

The solution is the market leader.

Our customers are always looking to partner with market leaders as you can't go wrong with them.

Customers can monitor cloud environments. 

The threat detection capabilities are quite fast and efficient based on my customer's feedback. 

We've used the MITRE ATT&CK feature and it's good. It's pretty standard and comparable to IBM. Most products offer this as well. 

It's good for analyzing malicious activities. It's good as an overall platform. It's good at detecting threats. It's a basic feature that is quite effective.

Splunk can help to reduce alert volume if you configure it properly.

They are a market leader in a lot of areas in terms of features and functions. 

It helped us speed up security investigations. I'm not sure of the exact percentage it helped us speed up by, however.

It has a lot of basic and standard features. 

It is a full-fledged solution that provides everything a company needs.

When it comes to malicious activities, however, it's rather overpriced. There are cheaper ways to detect.

There are quite a lot of security platforms on the market that do the same thing in a similar way at a cheaper rate. 

The pricing could be a lot lower. I'm from Asia, and they need to provide Asian pricing. They should price better for the region they are in. Once companies see the price, it puts them off. 

The integration could be a bit better. They charge for certain integrations. 

I've used the solution for about a year or more. 

It is a stable product.

The solution is used across multiple departments, not locations. That said, it would support multiple locations. 

We've had no issues with scalability. We usually have a solution that lasts three to five years and have had no issues scaling in that time.

I do not directly deal with technical support. 

We previously used many solutions, such as IBM. The implementation times are about the same. There are some ways that IBM is faster and other ways Splunk is faster. However, Splunk offers a more modern look.

The initial setup is very easy. It's quite straightforward. The process is similar to IBM. The deployment takes less than one day. It is done by a different team. I don't handle the initial implementation process.

The maintenance needed is very minimal. We have at least ten people that can handle deployment and maintenance. 

The solution is quite expensive compared to the competition. It's considered a premiere security option. 

We also looked at Dynatrace before choosing Splunk. 

I'm a registered partner of Splunk. 

We are using the latest version of the solution. 

We haven't used the threat intelligence management feature. We usually use another product.

The mission control feature hasn't been used. I'm not familiar with it.

For those looking for a cheaper product, I'd suggest, if they had a limited budget, to go cheaper. Likely a cheaper option that can do the same work as Splunk. At the end of the day, whether you choose a Toyota or a Rolls Royce, you get from A to B the same. The price is the differentiation. 

I'd rate the solution eight out of ten. It's a good product overall. 

As a software analyst, I utilize Splunk Enterprise Security for security purposes, including threat hunting on developed and customized applications for vulnerability management. I also use it to display dashboards, analyze data, and address alerts.

We implemented Splunk Enterprise Security to consolidate all our security data into a single platform. This has enhanced our visibility into our security posture and the potential threats we face.

Splunk Enterprise Security enables us to monitor multiple cloud environments, which is crucial for receiving real-time email alerts in the event of critical incidents. However, directing me to the source can be time-consuming compared to the verified swim methodology used by SIEMs. For my application, I have approximately ten million records. Directing me to the service code takes two minutes to instruct them to view the file using VLOOKUP. However, sending it to the capital takes about half an hour.

The ability to monitor multiple environments is excellent. We have customers who use Splunk Enterprise Security both on-premises and in the cloud. Both options have their merits, depending on the specific needs of the customer. If a customer has the required resources, the cloud is often the most suitable solution.

The robust threat detection capabilities of Splunk are essential for our project. However, it's crucial to manage user access carefully. While we need to grant access to certain users, we must not provide them with unrestricted capabilities. Splunk's granular access control feature empowers administrators to customize user permissions, ensuring that only authorized users have access to the necessary features.

Splunk's threat topology helps us identify the scope of an incident. This is crucial due to the high likelihood of unauthorized data being compromised, necessitating prompt incident detection.

Splunk Enterprise Security has facilitated the timely detection of threats, enabling us to swiftly customize it to identify a wider range of threats and potential risks. We can incorporate external scripts for enhanced threat intelligence and threat-hunting capabilities.

Before implementing Splunk Enterprise Security, we relied on a patchwork of other tools, each requiring manual implementation for data collection, rule definition, and threat identification. This approach was not optimized and occasionally resulted in delayed threat detection. Limiting our focus to device security alone proved insufficient, as it lacked the real-time threat actor intelligence and activity insights provided by Splunk Enterprise Security. Our reliance on licensed development restricted us to pre-built alerts or manually uploaded scripts for mitigation and response.

Splunk Enterprise Security has helped reduce our alert volume.

Splunk Enterprise Security has helped speed up our security investigation time.

Three features stand out for me: the SDK for writing Python, the customizable and adaptable diagnostic dashboard, and the optimizer for collecting data.

The threat detection system has room for improvement. The critical aspect for an organization is the timely detection of incidents. If the rules are not defined correctly, threats may not be detected in real-time, resulting in incidents being detected months or even years after they occur.

I have been using Splunk Enterprise Security for almost seven years.

I would rate the scalability of the solution eight out of ten.

I would rate the resilience an eight out of ten.

I contacted Splunk support once for a separate product.

Positive

The initial deployment was straightforward for me, likely due to my extensive experience using Splunk. When implementing the solution, we begin by defining customer needs and requirements to optimize Splunk. This involves identifying the systems necessary for daily use and ensuring the protection of the integrated licenses and external apps in the Splunk environment. This protection encompasses program security, cloud-based security, and data analysis for specific apps. Additionally, we configure personal authentication for private applications.

The deployment time is dependent on the specific requirements and can range from two to ten days.

The implementation was completed in-house.

Splunk Enterprise Security has delivered a return on investment through its effective threat detection and vulnerability response capabilities. We have successfully demonstrated this positive impact on our customers through comprehensive reports.

I would rate Splunk Enterprise Security nine out of ten.

While there may be cheaper solutions available, they lack the optimizer, dynamic dashboard, and security APIs that Splunk offers. These capabilities are not found in other solutions.

Maintenance is minimal for updates only.

When using Splunk Enterprise Security, ensure that optimization is performed correctly to minimize response times and resource consumption.

We use the product to analyze security anomalies and research specific threats that we get on our network.

The solution has made us more secure. It has given us the ability to address threats faster, with greater accuracy.

The availability of the data and the fact that we're able to collect a large amount of data into the system and analyze it is valuable to us. The product’s speed and availability make it really useful for us. I'm excited about the additional enhancements to the machine learning toolkit. To be able to use it more is exciting to me.

My organization needs more people to learn how to use the solution effectively. It takes time to train people.

I have been using the solution for six years.

I have never seen any issues with the tool’s stability.

Considering how much we have in place, I would assume that the solution’s scalability is pretty strong.

I haven't had to go to Splunk directly for many things. Communicating with our success managers has been very positive.

Positive

We need to improve our implementation. We're a pretty large customer of Splunk, so I think we do have a lot of resources available. Splunk has really good courses and availability. We need to get more people to be more familiar with the tool. The solution has helped us reduce our mean time to resolve. It really works well for us, and it helps us to look at our data more effectively.

Splunk has helped improve our organization’s business resilience. It's not just used for security. We have big use for it. It has definitely helped us prevent problems from occurring and identify them when they do. Splunk’s ability to predict, identify, and solve problems in real time is very strong. It works as well as we use it. There's a lot of value within the tool. It can be very powerful if used properly and if people are knowledgeable about it.

Splunk has a strong ability to provide business resiliency by empowering staff. I've been using it for as long as I've been with this organization. Compared to other solutions, Splunk is really strong.

I have seen time to value using this solution. I love using it. It’s a great tool. I cannot compare Splunk to other tools because I've been using it for as long as I've been with my current organization. In my previous organization, we didn't have big data, so we really didn't need the product. I am a consumer of the solution from a security perspective.

Overall, I rate the solution an eight or a nine out of ten.

Our primary use case is for cyber security, tracking logs, and incident response.

I haven't had the chance to properly sink my teeth into Enterprise Security but so far I like that they added the MITRE ATT&CK features. 

This feature helps us know how to plan when we have an incident, know where to look, what to look for, and aspects like that. 

The MITRE ATT&CK planning is valuable. When we see those incidents and those logs, having the information right there speeds up the process a bit.

We did not have a SIEM at the time, so we added Enterprise Security as our SIEM. We're hoping to learn more about it and grow as we progress.

They wanted us to do basic training, which was offered to our organization for free. That was great. However, ours is a cybersecurity focus. The training was mostly sales-focused, like how to monitor your sales. It was hard to then come back from doing the training and try to switch it to a cybersecurity focus because all the training we did was sales oriented. The basic training didn't really touch on any kind of cybersecurity use cases or anything like that. That would have been great to see in the training.

We upgraded to Enterprise Security a year ago but have been using general Splunk for longer. 

Stability-wise, despite these issues, it's been solid. I haven't had any issues with access to it or anything like that. The only issue we did have was with the engineer. After informing him of those issues, he went back and tweaked them, and then everything worked fine. 

It seems pretty scalable. Our network isn't extremely large, so I don't think scalability will be an issue in our case, but I definitely see the opportunity to scale if needed.

We have around 8,000 devices, so it's a fairly small network. It's across several different networks.

I have not used support yet mainly because I haven't delved into it as much because of the issues with our initial integration with our engineer not being so trained. 

We have different contractors and they have other solutions. Some of those solutions included Elastic. We want to use Splunk and our contractors want to use Elastic. We're hoping .conf23 will broaden our imagination, so we'll have more to bring back and push towards just using Splunk only.

I have not used Elastic myself. It does sound like it does a lot. There's a lot that Splunk offers that we haven't actually used. I want to play with Mission Control. We only use Enterprise Security but I do want Mission Control where everything is in one centralized application where you don't have to jump to different applications. 

I would love to get Mission Control.

My engineer had a little bit of an issue with it but it was because of his own lack of training. We were pushed to hurry up and get a SIEM. He did the best he could. I let him know what wasn't working, and then he would try to fix what he could on the backend so it could work. He was in talks with Splunk to fix those issues. The results are coming back a bit better, but I think that there is still room for improvement.

I was not involved with the setup. I came in afterward. One of our guys here was the one that was in the initial integration of Splunk. We ended up with Splunk as our main SIEM. I've never had any issues with it and I enjoyed it. 

We will see cost efficiencies mainly just from saving time and the shortened time and response to those incidents that we see. The fact that everything's organized in one application, we should see a bit of an increase in efficiency.

I do see the possibility and the opportunity to increase the meantime to resolution by a lot. We use several different applications to monitor logs. We have the vision. 

I've seen some of the updates and changes like Splunk AI and Splunk Vision Control that look nice. I didn't manage to get on some of the hands-on, which would have been lovely. I would like to get more ideas on how we can integrate Splunk into our networks. 

I would rate Splunk Enterprise Security a nine out of ten. I see the opportunity and I'm hoping with our engineer that we can get to where we can make the best use of Splunk. It really seems great. A lot of our staff here were all ready to use it. We're just hoping our engineer can get to the place where we can actually make use of it. 

The biggest value I get from attending a Splunk conference is being able to see the updates, changes, the features they're adding, the Splunk AI, and Splunk Vision Control. That's been nice. I am looking forward to some of the sessions. I want to get more ideas on how we can integrate Splunk into our networks and things like that, especially focusing on cybersecurity. I would also like to see some of the stock sessions because it's a brand new stock. We're trying to stand it up. Seeing how they're using it for stocks would be great.

Enterprise Security has reduced our mean time to detection to results. It used to take 25 to 30 minutes and now it's down to less than ten minutes. 

Our customer has been far more satisfied with our incident response and remediation since we adopted Splunk several years ago.

Our time to value was within a few weeks to a month.

The most valuable feature is the incident dashboard, and the extensive use of correlation searches, which isn't available with a standard Splunk search package. This feature is important to me because it enables SOC analysts to do their job more efficiently and be able to investigate or mediate incidents at a faster pace.

Another benefit is the expansion of the use of ITSI, SOAR, and now Mission Control being able to holistically monitor an environment with one tool. Also with Mission Control, we have the ability to have one interface.

It's very easy to monitor a single cloud with ES solutions. I've worked with several other SIEM tools before and Splunk does it better.

Splunk's ability to predict, identify, and solve problems in real time is good. They do it better than other tools.

I am looking forward to their expansion of the use of AI. Using AI in the user interface will go a long way because one of the challenges in my organization is getting other people to use Splunk. A lot of people are averse to using new tools so if they make it even more user-friendly than it already is, I think that could go a long way.

I have been using Splunk Enterprise Security Enterprise for three and a half years. 

Stability is excellent. It is the most stable SIEM solution I've worked with.

Scalability is excellent. If you need to add more capacity, you can add more indexes, and more search heads as you need. The environment stays stable as you're doing it if you do it the right way. 

My environment is about nine indexes, four search heads, and about 800 GBs a day.

Their support is excellent. Every case I ever had to put in has been handled and resolved in a matter that I would hope for many support tickets.

I would rate them a ten out of ten because they are much more responsive than a lot of other vendors I've worked with.

Positive

There are mostly pros when comparing Splunk to its competitors because it collects data and analyzes it. It analyzes data better and in a more detailed, documented, and organized fashion than any other SIEM that I've worked with.

I have worked with Microsoft Sentinel and ArcSight.

I was involved in the initial setup with the help of their professional services. It was complex at first because my colleagues and I did not know the application that well. There was definitely a learning curve but once we started to understand how to design it the proper way and how to manage it the proper way which made things a lot easier.

It's more expensive than the other tools but it's worth it. Every penny is worth it. They do analytics better. They do security investigations better. They do everything better.

I would rate Splunk Enterprise Security a ten out of ten. I have worked with other SIEM solutions before and Splunk is the best one.

The biggest value I get out of attending a Splunk conference is getting to network with other people within my same account under my same account manager. I appreciate the ability to go to sessions about different support products that my organization doesn't use and try to help myself understand how some of these tools are used and how I could encourage my organization to use them.