Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security are detection, attacks, analysis, and investigation.

The features of Splunk Enterprise Security that I find most valuable are the correlation and correlation data. These features have benefited my organization through the model of investigation, correlating with correlation alerts, and integration with other tools, which is a good point.

In my experience with other tools in previous jobs, the time is reduced by around 70% compared to the previous tool.

My impressions of Splunk's ability to predict, identify, and solve problems in real time are positive. There are points to consider when enriching the data with these kinds of inputs. It is a good opportunity for companies trying to start with this environment, though it might be a challenge for those who have been using it for a long time since it requires identifying the context and use cases.

Splunk Enterprise Security could be improved in the dashboards that provide KPIs about environmental behavior.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include correlation when we have inputs or tools about security, such as Forescout or CrowdStrike, which presents a good challenge.

My organization uses risk-based alerting in Splunk Enterprise Security, yet not optimally, which presents another challenge. My security ops team takes longer to remediate security incidents with Splunk Enterprise Security compared to our previous solution. It is very complex.

I have been using Splunk Enterprise Security for four years.

I would assess the stability and reliability of Splunk Enterprise Security as good. However, it depends on the Splunk architects or the best practices provided by the admins and power users. They should avoid creating bad practices in correlation alerts, queries, and dashboard reports, but overall, it is a good, stable product.

Scaling is smooth in certain functionalities but can be more difficult when involving different areas. When under the same scope, it progresses smoothly.

Customer service and technical support are good. They can sometimes be expensive, but the cost is appropriate given the professionalism in providing reports, diagnostics, and analyses.

We may need more follow-up for remediation, which is sometimes noted as expensive, however, it is acceptable as part of the partnership agreement.

Prior to adopting Splunk Enterprise Security, I was using another solution, SOAR, to address similar needs. It accomplishes that along with the implementation process, and I need to consider the different policies within the company regarding privileges, roles, and dependencies across different areas.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is part of the onboarding process. We sometimes need to review it based on our needs or use cases we need to apply, and we need to correlate the data with different inputs, sometimes directly from security or IT data.

I have seen a return on investment with Splunk Enterprise Security. If the account executives for Splunk do not explain the implementation process clearly, we may face challenges, as our company's first question is usually about seeing immediate results for the amount spent. We often need to follow a process and achieve a certain maturity level, which requires a prompt response from our management.

Regarding my experience with pricing, setup cost, and licensing, it is good. I saw around 2016 when the license was one option, however, now it is good, although sometimes it depends on the business of the company since we do not always have the budget to increase, decrease, or try to change.

The factors that led me to change to Enterprise include the new improvements. This is the correct path, and next year we will need to review the challenges concerning AI governance, which I plan to use in Splunk Enterprise Security.

Splunk Enterprise Security has helped improve our organization's business resilience. It helps us respond to various needs in our different regions or plants, aiming to obtain critical information to reduce the impact of hacks in our plants.

I would absolutely recommend Splunk Enterprise Security. Every time I have the opportunity to promote or explain how it works, people say it is amazing, and I agree. It is an integrated solution that stands out against competitors, and though it may be expensive, it delivers good quality.

I would rate Splunk Enterprise Security overall a nine on a scale of one to ten, considering the current improvements.

My main use cases for Splunk Enterprise Security are threat detection use cases.

The biggest advantage I can see in Splunk Enterprise Security is the big data analytics. The simple search query with faster responding results is also appealing. My team handles large volumes of cybersecurity data. To be able to search against such a big amount of data with efficiency is the key driver for my team to do threat detection and data analytics.

Splunk Enterprise Security can be improved in many ways. I am very happy to experience the AI-powered security platform they are going to show us in the new version. Better identification of true positives and false positives should be included in future releases.

There is another new term called benign positives. It is better to clearly identify each definition of those terms since it has not been popular in the industry, and everyone needs to be aware of those things.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are the false positive alerts. As mentioned in the keynote, there is a lot of noise. Reducing the noise to make sure the SOC is operating more efficiently is one of the challenges my team is having. The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is not the easiest, however, it is not the most difficult one, so I would say it is medium.

I have been using Splunk Enterprise Security for seven years.

I have experienced downtime, crashes, and performance issues, with the most recent one being a data ingestion issue from another security platform. This key data source is not being ingested, causing some downtime.

Splunk Enterprise Security does not scale efficiently with the growing needs of my organization. Since it is on-premises, we have some scalability issues, and there are other new players coming up.

We have expanded the usage of Splunk Enterprise Security several times.

I would evaluate customer service and technical support as adequate since my team does not deal with it directly. Another team dealt with them, and I found it to be acceptable as they have 24/7 support all over the world. 

They hand over to the next team in another country, but sometimes it takes time to do the transfer, and we have to explain all the problem issues again, which can be frustrating. For that, I would rate it a five.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

My experience with deploying Splunk Enterprise Security is actually another team's job, however, they are doing adequately.

My organization is moving towards risk-based alerting in Splunk Enterprise Security. My team actually built our own risk-based alerting before they released it; however, we are looking forward to integrating both.

Splunk Enterprise Security is doing its job in helping improve my organization's business resilience. There are other competitors in the same field, so I find it neither particularly good nor bad.

I don't directly deal with pricing.

I would advise other organizations considering Splunk Enterprise Security that the new version looks impressive. If organizations want the new, complete package, I would recommend ES Premier, as it combines ES with TIM, UEBA, and SOAR. 

On a scale of one to ten, I would rate Splunk Enterprise Security a seven. I believe ES is doing its job, but it is slightly behind its competitors. 

Other competitor platforms already have AI integrated, and they just announced it today, so it feels somewhat behind. However, I am looking forward to this new feature.

On-premises

My main use cases for Splunk Enterprise Security are log management and enterprise security. Those are the key.

Splunk Enterprise Security has helped improve my organization's business resilience. We load much of our data and information that we use. It's really helping us in our log management solution, and also for forensics and alert triaging purposes. Forensics is one of the big pieces, along with incident management, IRP, and data management. It's fulfilling all those gaps and helping us mature our security operations.

The features of Splunk Enterprise Security that I enjoy the most include reporting, dashboards, and RBA. These features have benefited my organization since the dashboards and reports help us review security alerts and events in a timely manner. The RBA is what we are currently working on to develop and have some early detection on security alerts and notifications.

Currently, I am using disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations by providing some visibility into security. Yet we have many basic issues where we need to fix the log sources, integration, and quality of the content that's going into Splunk Enterprise Security.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security quite basic. We don't have any sophisticated process. We have contractors and MSSP who are timely filling those gaps, going through the rule review process, going through regular security testing, and prioritizing what is more important as an organization.

Though we have not completely explored the product functionality, Splunk Enterprise Security itself has many features. This morning I was reviewing all the AI capabilities, such as version 8.2 which has included incident triaging and process. That's probably a very good feature. Our organization has very limited resources, so we would want to expand some of those automation and AI capabilities to fill those gaps.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as generally good, with very few downtime, crashes, and performance issues. I've been with the organization for a little over a year. I have seen one or two occasions where the enterprise resources crashed. I haven't really seen any significant issues.

Splunk Enterprise Security works efficiently with scaling growing needs since the distributed architecture is very well planned and easily scalable. All you need is to spin up a few additional resources and you can build your collectors, forwarders, and indexers. It's quite easy. At the same time, it comes with its own complexities since it's an on-premises solution. 

Overall, it performs well. I haven't seen any outages or resource challenges while using it.

I would evaluate customer service and technical support as very responsible. Anytime that we have issues or challenges, I could see they were helping us behind the scenes and going through all these improvements. They were excellent.

Positive

In previous organizations, I have been well-versed with many other SIM tools. QRadar is one prominent tool I used. The McAfee Nitro, which isn't available anymore, was another. RSA NetWitness, RSA enVision, ArcSight were among the many tools I've used. In modern SIM tools, I am more familiar with Sentinel and Google Chronicle. I would say Splunk Enterprise Security has more capabilities, and maturity-wise and roadmap-wise, this product has become much more mature than the other two products I could compare.

I was not present for the deployment.

I have definitely seen a return on investment with Splunk Enterprise Security.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection relate to the RBA, which is something that we were struggling with. We are working with the SIM and our reseller to streamline that process. That's something that's not easy for every organization. We are going through the same turbulence.

My organization does not completely utilize risk-based alerting in Splunk Enterprise Security as it's not fully mature. It is supporting our SOC in a limited way. We still have a long way to go. The product is not completely mature. We are a unique organization, so it requires additional resources to get that work done.

My organization is in the process of expanding our security use cases. It's a multi-year model where we are strategizing and exploring all our security needs. I would say we are still in the early phase. Although we have the product in place, it was not yet mature due to some resource issues.

My advice to other organizations considering Splunk Enterprise Security is that it's a good product. It's definitely helpful. If somebody is looking for security and log management, investigations, incident, and IRP, then they can look into this product and explore it. It's one of the market-leading products. It definitely stays up to the mark. 

On a scale of one to ten, I rate this solution an eight.

On-premises

In my organization, there are many use cases for Splunk Enterprise Security, including potential risk, brute force attack, malware attack, ransomware attacks, and firewall-related use cases. We also have switch-related, inbound traffic, outbound traffic, login failure, and successful login use cases. I estimate there are more than 150 use cases in our organization.

What I appreciate about Splunk Enterprise Security is that it is very intuitive and basic to use.

The best features of Splunk Enterprise Security that I value include its ease of use, the SPL query language, and its straightforward handling. It provides real-time monitoring and investigation, which are the main features in SPL.

Splunk Enterprise Security helps improve our organization's business resilience because it is very useful for real-time monitoring and investigation. When any incidents occur, we can check and detect them in real-time.

I would like to see improvements in Splunk Enterprise Security regarding the integration of device automation and more automatic use cases in the licensing model, as well as reducing the incident time period and incident remediation time.

The technical support can be improved because sometimes when we call them, the issues are not resolved immediately and tickets take time to be addressed.

I have been working with Splunk Enterprise Security for more than three years.

Splunk Enterprise Security is stable and I have not experienced any downtime or significant performance issues. I rate the stability of Splunk Enterprise Security as good.

Splunk Enterprise Security scales well with the growing needs of my organization, though urgent support is required for projects deployed at customer premises.

I evaluate customer service and technical support from Splunk as requiring the raising of a ticket or calling a toll-free number for any technical issues, which they resolve with assistance.

Before Splunk Enterprise Security, we used RSA NetWitness and also Sentinel.

I am not directly involved in the deployment of Splunk Enterprise Security, but during the integration of devices, we have a team working on the onboarding process.

I have seen a return on investment with Splunk Enterprise Security. It is cost-effective since not many companies are using it right now compared to other SIEM tools.

My experience with pricing, setup cost, and licensing is that Splunk Enterprise Security is very costly compared to other SIEM tools, but the advanced features justify the cost due to its real-time capabilities and user-friendly SPL features as a key differentiator. The licensing is also costly and based on events per second.

I am currently working with Splunk Enterprise Security products and solutions. I work as a Splunk Admin with Splunk Cloud platform and Splunk Enterprise Security.

I do work with Splunk Enterprise Security but not with the Cloud. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security manageable.

There are many tasks we have to perform in the detection of Splunk Enterprise Security, but if we categorize them, we use the SPL commands. We have to use a query language of the SPL command and optimize and sort out the issue in a limited, minimum time period. These are the command lines we use to reduce the time and prioritize the issues.

We use disparate security solutions that integrate or import data into Splunk Enterprise Security, including Windows devices, Linux devices, and firewall devices. Many other devices are integrated, including the three main components of Splunk Enterprise Security: the forwarder, indexer, and search head. The forwarder collects data from different sources such as switches, firewalls, databases, or routers. These are the data sources integrated with our Splunk devices. The log source then collects the forwarder and sends it to the indexer. The indexer parses the logs, licenses the logs, and minimizes the logs in different formats including JSON format and TXT.IDS format. These are the two formats in which we have the logs stored in the indexer. The third component is the search head, where we perform searches in the dashboard and search console by redirecting to the indexer and extracting the necessary data.

My overall impressions of Splunk Enterprise Security's ability to predict, identify, and solve problems in real-time are positive. These include real-time investigation, incident identification, and minimizing the time required for response. The main components include the SPL command as a useful search processing language. We check the logs of the last three to four days and utilize the indexing box, including hot and cold buckets for storing logs. There are five types of buckets in Splunk Enterprise Security for this purpose.

I am using new threat detection features in Splunk Enterprise Security, including malware analysis, phishing email detection, and detection of malicious IPs, malicious tools, and URLs.

We have not faced any challenges in using Splunk Enterprise Security for advanced threat detection.

My organization uses risk-based alerting in Splunk Enterprise Security. We have a threshold in the search console for incidents. When any incident occurs, it can be categorized based on the number of occurrences as minor, moderate, major, or critical alerts depending on the threshold values.

I am not aware of specific enhancements or new features that should be included in future releases of Splunk Enterprise Security.

I decided to switch to Splunk Enterprise Security because my organization uses it and I have received training on it. The integration of devices with Splunk Enterprise Security is a significant factor, as it is a new technology with advanced real-time monitoring features.

The deployment model for Splunk Enterprise Security that I am using is on-premises.

I would advise other organizations considering Splunk Enterprise Security that it is a new product and new technology. It is easy to handle and has a straightforward deployment model. Use cases are also easy to create, and it provides real-time monitoring and incident detection, which is a valuable feature. My overall review rating for Splunk Enterprise Security is seven out of ten.

On-premises

Splunk Enterprise Security is used for many different things. Primarily, it is used to create alerts for different use cases that need to be monitored, and then investigations can be created. At a high level, that is where many investigations start from.

Business resilience is valuable, though I am not completely certain about Splunk Enterprise Security in that regard. Visibility would be considered a valuable feature. The more I think about it, business resilience is probably valuable as well.

The pricing of Splunk Enterprise Security is probably one of the main pain point areas. It is probably the only area that has us looking elsewhere for other options, just to see what is available even just because of the price. While it is a good product, the huge price increases that have been experienced over the last couple of years do not appear to be justified by new features or items in general. Pricing is the area that has everyone looking elsewhere to see what other options exist. The prices definitely make your eyes water when you see them.

Splunk Enterprise Security could improve its pricing. This seems to have been a theme across the board at the Splunk conference this year. The general consensus is that pricing continues to increase significantly every year, not just by a couple of dollars.

Splunk Enterprise Security has been used in my career overall for about six years.

The only instability that has been experienced with Splunk Enterprise Security is from inefficient searches and things configured incorrectly. Stability is ranked pretty high for the product.

Scalability for Splunk Enterprise Security is ranked pretty high.

I have tried contacting Splunk Enterprise Security support, and I am currently dealing with some technical support items. Technical support is relied upon pretty regularly. Generally speaking, their support is pretty good and their response time is pretty good. The caveat to that is that recently, there are some pretty interesting issues that seem to take a long time and a lot of back and forth just to get to the right people for some advanced challenging issues. When you open up a support case, you are assigned somebody at tier one support. There is no way to bypass that or indicate that this is a more advanced issue. Everything goes through the same process, and there is no way to really get advanced technical support from the beginning. You have to start at level one, and they set up a meeting and a call to explain the issue and show what is being experienced. There is a lot of back and forth, and then maybe if you are fortunate, you get assigned a more senior person after a week or two. For some cases, it takes maybe three or four weeks before you are actually in touch with people who can actually help with the issue. There is a lot of back and forth, a lot of emails, and a lot of troubleshooting and screenshots and communication for three to four weeks later before you can finally get a hold of somebody who is actually able to point you in the right direction.

Splunk Enterprise Security would be given a score of eight or nine overall for support. It is just the amount of time that it takes to get support for some advanced issues. You have to start at the bottom and keep communicating and working your way up that chain. Overall, it is a solid eight or nine, but sometimes it takes a decent amount of effort and time to get there.

Positive

Nothing has been used before Splunk Enterprise Security.

When first starting to use Splunk Enterprise Security, the initial deployment was already stood up, so much of it was personal learning. I cannot really speak on behalf of other people who have stood Splunk Enterprise Security up.

Splunk Enterprise Security is a pretty complex tool, and it is always changing. There are always new things, even with 8.0 to 8.2. There are always things that are being renamed and moved around and called different things and the UI is changing. That has definitely added to the learning curve. It is a pretty complex tool, so there is a pretty steep learning curve personally just because there are so many things that it does and controls and a lot of things to consider.

Splunk Enterprise Security has not helped to reduce the team's mean time to detect, the MTDD metric. A service provider, managed service provider, is utilized for items like that.

Splunk Enterprise Security is not being used with the observability platform at this point.

Splunk Enterprise Security has not been upgraded to 8.0. The upgrade to 8.2 is in the works, probably in the next two months or less.

Risk-based Alerting, as Splunk Enterprise Security calls it, is being used. There are some pros and cons associated with it. The organization is not mature enough for Risk-based Alerting to speak on any pros or cons too much because of how Risk-based Alerting works. Many of the underlying fundamental pieces have not been built or are not mature enough to really calculate the risk scores correctly. While Risk-based Alerting is enabled and turned on and some risk-based alerts have been created, generally speaking, the organization is not mature enough in some of the other areas to really use a lot of the granular details of what Risk-based Alerting is for. However, it is on the path for progression. The overall review rating for Splunk Enterprise Security is nine.

On-premises

Other

My main use cases for Splunk Enterprise Security have evolved over various roles, primarily focusing on the correlation of external threat intelligence in the notables existing in Splunk Enterprise Security, where we currently emphasize making it easier for our customers to bring in external threat intelligence such as from Recorded Future and correlate that against their entire telemetry to create notables indicative of alerts that could have been missed through traditional defenses.

The feature I appreciate the most about Splunk Enterprise Security is the CIM data model, which allows users to bring in data from different technologies, such as firewalls, endpoints, and perimeter DMZs, enabling every device to pump data into Splunk Enterprise Security, with the data model normalizing all the data and placing it in a common plane.

The main benefit of Splunk Enterprise Security features is the increased visibility of our data itself since we can pump in all the data from every security device within our enterprise, providing comprehensive visibility in a single pane of glass without needing to check every tool for individual alerts, allowing us to identify outliers and anomalies easily and build detection rules across multiple technologies.

Splunk Enterprise Security's risk-based alerting has been a game-changer for us. Previously, we were flooded with many alerts, leading to alert fatigue; now, risk-based alerting adds intelligence to alerts by considering behavioral or internal asset-based criteria, effectively helping us prioritize alerts and filtering out noise that can be ignored.

When it comes to leveraging Splunk Enterprise Security's dashboards and visualizations, we struggle to communicate our security posture effectively to leaders such as the CISO, yet Splunk Enterprise Security provides the ability to create tailored reports from generated data using correlations, macros, and specific metrics such as MTTR or MTTD, allowing us to convert this into strategic or tactical-level reports sent directly to the CISO for situational awareness.

Splunk Enterprise Security assists our SOC team in prioritizing and investigating high-fidelity alerts effectively after we triage and identify them; there are various ways to dig deeper, either by building search queries that expand the scope to other data sources or using adaptive response actions to gather additional context, aggregating everything inside Enterprise Security for a comprehensive investigation.

While Splunk Enterprise Security is powerful, it presents significant complexity for users, as it's not particularly user-friendly for beginners. I recommend focusing on building user-driven guided workflows to help newcomers navigate and efficiently use the platform through simple guides. 

I also see room for improvement in the integration of Splunk SOAR, which currently has some limitations regarding its data use in downstream playbooks.

I have been using Splunk Enterprise Security for approximately seven to eight years, starting even before my current role.

I find Splunk Enterprise Security to be generally reliable and stable, as we haven't experienced issues with downtime or crashes despite having a single-node cluster, which has been sufficient for our operational needs.

One of the main reasons we moved to Splunk Enterprise Security is its ability to scale with our growing needs, as it easily accommodates additional compute and storage, and even for on-premises deployment, it simplifies the process of adding those resources as we expand our telemetry.

I would give Splunk customer service an okay rating since they handle standard queries with clear responses; however, the experience can vary when tailored queries arise, sometimes leading to delays in communication, which highlights areas for possible improvement.

Neutral

Before adopting Splunk Enterprise Security, we relied on a couple of open-source tools, yet soon realized they weren't scaling to our needs, prompting the decision to switch to a more scalable solution backed by support.

From my point of view, the biggest return on investment when using Splunk Enterprise Security comes from its flexibility to bring any data into the platform for visibility, which is hard to achieve with other platforms; this capability, combined with features such as UEBA and risk-based alerting, reduces the need for full-time employees in my SOC while allowing easy integration with external threat intelligence to reveal hidden threat patterns, resulting in reduced MTTD, MTTR, and enhanced situational awareness.

I don't directly handle pricing, yet my experience indicates that Splunk tends to be on the expensive side as a SIEM platform, so I suggest users consider a phased deployment starting with Splunk Cloud or Splunk ES and then expanding capabilities over time rather than embarking on a full deployment initially.

In our strategy to combat insider threats and advanced persistent threats, Splunk Enterprise Security plays an important role with its UEBA features, helping us identify outliers from baseline behavior that assists in detecting anomalies or insider threats that may otherwise slip through traditional defenses. 

I advise organizations considering Splunk Enterprise Security to proceed if you are already a big Splunk shop with an underlying platform deployed, as it seamlessly integrates with your existing data and allows easy onboarding of additional technologies within the Splunk ecosystem without additional overhead. 

Considering the overall performance, I would rate Splunk Enterprise Security as an eight out of ten, recognizing it as a powerful platform within our SOC toolkit.

On-premises

My primary use cases for Splunk Enterprise Security are correlation searches and the workflow that enables our SOC analysts to work through an entire incident from start to finish.

An example of how these features benefited my organization is that the mean time to detect compromised accounts from the time that we're able to detect that account and then launch some automation to actually disable the account and work with the end user to fix the issue has gone from taking a couple of days to literally taking two to three minutes.

The features of Splunk Enterprise Security that I value most are the correlation searches, being able to bring multiple things together and to have one result to look at in a single pane of glass. 

I'm not sure how Splunk Enterprise Security can be improved, but I'm sure it will be improved; the features that they add, I constantly never even think of. One of the big things is making it a little easier for the intro analyst to be able to understand and work through without a lot of dedicated training.

I've been using Splunk Enterprise Security for probably about the last two years.

I would assess the stability and reliability of Splunk Enterprise Security as having not experienced any issues that would be in the realm of Splunk's.

Splunk Enterprise Security has scaled very well with the growing needs of my organization. We started out with a smaller deployment and now we're ingesting multiple terabytes of data a day and being able to scale as much hardware as we can throw at it.

I evaluate customer service and technical support as excellent. Anytime that we've had an issue, we've been able to engage with Splunk support, and we also have agreements with some other folks that help us out, some private organizations that we leverage.

Positive

Prior to adopting Splunk Enterprise Security, we were just using Splunk Enterprise and formulating our own searches and finding stuff ourselves.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be challenging at times. It takes some of our more advanced engineers to be able to work through a lot of those processes.

The challenges with deploying something like Splunk Enterprise Security are getting the data in, knowing what data you need, and trying just to find it and normalize it. It's such a vast area and we're such a distributed organization, trying to get all that information in one place has been a challenge. 

The process to expand usage has been smooth.

I have absolutely seen a return on investment with Splunk Enterprise Security. I can say that just because of the time that the analysts would take, and I can say that we have saved man-hours, which in the end is money. On average, my SecOps team takes probably at least a quarter of the time, if not more, to remediate security incidents with Splunk Enterprise Security compared to our previous solution.

Now that we can show that we're able to reduce that mean time to detection, we're getting a lot more buy in. So a lot more people are interested in that, and they're excited about that. So that really helps out.

I'm not familiar with the setup costs.

The advice I would give to other organizations considering Splunk Enterprise Security is to work with professional services. It's a large undertaking for your SOC, so work with professional services that have seen different examples and situations and lean on their expertise to help you develop the right solution. 

I would rate Splunk Enterprise Security overall on a scale of one to ten as probably about an eight; there's still some work to be done, however, it's the best that we can do right now.

On-premises

My main use cases for Splunk Enterprise Security are mainly building SIEM for our customers, implementing it at customer sites, and using it for our own developments.

I really appreciate the all-integrated SIEM feature of Splunk Enterprise Security, which serves as a one-stop shop to get all security tasks done. It actually helps us by not having to develop all the use cases ourselves, providing an integrated product that has everything in one place. 

It has integrated threat intelligence and an integrated use case library, so it requires only one installation and configuration. This specifically benefits my organization by reducing the implementation time at our customers, getting faster time to value with a better turnover rate for our customers.

We are using disparate security solutions that integrate or import data into Splunk Enterprise Security. We are implementing all data sources that are somehow possible, so there's no limitation to that.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is pretty straightforward. Developing our own solutions is pretty good, and even though we are using the Security Essentials and the Enterprise Security content libraries, that's a very good way to progress.

Splunk Enterprise Security can be improved with more ease of configuration. It is pretty straightforward to get it started, however, to really check if my data is all available and how to activate the right use case and the right correlations is still sometimes a hassle. A guided mode to help us understand how to get started, improve data quality, and prepare data more efficiently for use cases would be highly beneficial for us.

I have been using Splunk Enterprise Security for the best of seven or eight years now.

I have experienced downtime, however, it's very little. The downtimes are mostly hardware issues such as network downtimes, which is nothing that Splunk has a say in. If you deploy a multi-site architecture and make it fail-safe, downtime isn't an issue.

I have expanded usage a lot. This expansion has improved the process as scalability and scaling volume-wise and usage-wise with Splunk Enterprise Security was never a problem for me nor our customers.

I evaluate customer service and technical support from Splunk as perfect. I'm very confident in what the partner SEs and the Splunk Professional Service team can do. If I need to reach out to them, I get instant replies, and the Splunk community itself is very helpful as well. On a scale of one to ten, I would give it a ten.

Positive

Prior to adopting Splunk Enterprise Security, I was using another solution to address similar needs. We were using Splunk Core with our own developments and helped several customers migrate away from products QRadar and FortiSIEM, however, our main go-to platform is still Splunk Enterprise Security.

My experience deploying Splunk Enterprise Security is all in all pretty straightforward. If you are used to how to set it up, it's very good.

I have seen ROI with Splunk Enterprise Security. 

One example is a situation with a customer where we started installing it and actually found active breaches that were short of being used and leveraged for maybe blackmailing or compromising the customer. We couldn't calculate what would have been the cost if they had actually gotten compromised; however, they were in the process, so every investment was returned immediately. It was definitely significant.

My experience with pricing, setup costs, and licensing is a bit difficult. There are competitors that are more cost-effective. That said, for the feature set that Splunk offers, it's okay. It is on a solid foundation, so there could be more rebates and opportunities for us as a partner to offer it to our customers. Still, it's competitive.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are primarily related to customer pricing concerns. I find it's okay for a premium product on top of the Splunk base, however, the pricing is one thing, and I don't know if it's the same for all regions. We specifically sometimes have difficulties getting a smaller license than the Splunk Core one if we don't want to ingest all the data into Splunk Enterprise Security.

My advice to other organizations considering Splunk Enterprise Security is to try it if you don't know about it yet.

On a scale of one to ten, I would rate Splunk Enterprise Security overall as an eight. Sometimes it is a bit hard to get the searches and the data done, but all in all, it's a great product.

On-premises

Microsoft Azure