Splunk Enterprise Security Reviews

Splunk Enterprise Security is used for many different things. Primarily, it is used to create alerts for different use cases that need to be monitored, and then investigations can be created. At a high level, that is where many investigations start from.

Business resilience is valuable, though I am not completely certain about Splunk Enterprise Security in that regard. Visibility would be considered a valuable feature. The more I think about it, business resilience is probably valuable as well.

The pricing of Splunk Enterprise Security is probably one of the main pain point areas. It is probably the only area that has us looking elsewhere for other options, just to see what is available even just because of the price. While it is a good product, the huge price increases that have been experienced over the last couple of years do not appear to be justified by new features or items in general. Pricing is the area that has everyone looking elsewhere to see what other options exist. The prices definitely make your eyes water when you see them.

Splunk Enterprise Security could improve its pricing. This seems to have been a theme across the board at the Splunk conference this year. The general consensus is that pricing continues to increase significantly every year, not just by a couple of dollars.

Splunk Enterprise Security has been used in my career overall for about six years.

The only instability that has been experienced with Splunk Enterprise Security is from inefficient searches and things configured incorrectly. Stability is ranked pretty high for the product.

Scalability for Splunk Enterprise Security is ranked pretty high.

I have tried contacting Splunk Enterprise Security support, and I am currently dealing with some technical support items. Technical support is relied upon pretty regularly. Generally speaking, their support is pretty good and their response time is pretty good. The caveat to that is that recently, there are some pretty interesting issues that seem to take a long time and a lot of back and forth just to get to the right people for some advanced challenging issues. When you open up a support case, you are assigned somebody at tier one support. There is no way to bypass that or indicate that this is a more advanced issue. Everything goes through the same process, and there is no way to really get advanced technical support from the beginning. You have to start at level one, and they set up a meeting and a call to explain the issue and show what is being experienced. There is a lot of back and forth, and then maybe if you are fortunate, you get assigned a more senior person after a week or two. For some cases, it takes maybe three or four weeks before you are actually in touch with people who can actually help with the issue. There is a lot of back and forth, a lot of emails, and a lot of troubleshooting and screenshots and communication for three to four weeks later before you can finally get a hold of somebody who is actually able to point you in the right direction.

Splunk Enterprise Security would be given a score of eight or nine overall for support. It is just the amount of time that it takes to get support for some advanced issues. You have to start at the bottom and keep communicating and working your way up that chain. Overall, it is a solid eight or nine, but sometimes it takes a decent amount of effort and time to get there.

Nothing has been used before Splunk Enterprise Security.

When first starting to use Splunk Enterprise Security, the initial deployment was already stood up, so much of it was personal learning. I cannot really speak on behalf of other people who have stood Splunk Enterprise Security up.

Splunk Enterprise Security is a pretty complex tool, and it is always changing. There are always new things, even with 8.0 to 8.2. There are always things that are being renamed and moved around and called different things and the UI is changing. That has definitely added to the learning curve. It is a pretty complex tool, so there is a pretty steep learning curve personally just because there are so many things that it does and controls and a lot of things to consider.

Splunk Enterprise Security has not helped to reduce the team's mean time to detect, the MTDD metric. A service provider, managed service provider, is utilized for items like that.

Splunk Enterprise Security is not being used with the observability platform at this point.

Splunk Enterprise Security has not been upgraded to 8.0. The upgrade to 8.2 is in the works, probably in the next two months or less.

Risk-based Alerting, as Splunk Enterprise Security calls it, is being used. There are some pros and cons associated with it. The organization is not mature enough for Risk-based Alerting to speak on any pros or cons too much because of how Risk-based Alerting works. Many of the underlying fundamental pieces have not been built or are not mature enough to really calculate the risk scores correctly. While Risk-based Alerting is enabled and turned on and some risk-based alerts have been created, generally speaking, the organization is not mature enough in some of the other areas to really use a lot of the granular details of what Risk-based Alerting is for. However, it is on the path for progression. The overall review rating for Splunk Enterprise Security is nine.

On-premises

My primary use cases for Splunk Enterprise Security are correlation searches and the workflow that enables our SOC analysts to work through an entire incident from start to finish.

An example of how these features benefited my organization is that the mean time to detect compromised accounts from the time that we're able to detect that account and then launch some automation to actually disable the account and work with the end user to fix the issue has gone from taking a couple of days to literally taking two to three minutes.

The features of Splunk Enterprise Security that I value most are the correlation searches, being able to bring multiple things together and to have one result to look at in a single pane of glass. 

I'm not sure how Splunk Enterprise Security can be improved, but I'm sure it will be improved; the features that they add, I constantly never even think of. One of the big things is making it a little easier for the intro analyst to be able to understand and work through without a lot of dedicated training.

I've been using Splunk Enterprise Security for probably about the last two years.

I would assess the stability and reliability of Splunk Enterprise Security as having not experienced any issues that would be in the realm of Splunk's.

Splunk Enterprise Security has scaled very well with the growing needs of my organization. We started out with a smaller deployment and now we're ingesting multiple terabytes of data a day and being able to scale as much hardware as we can throw at it.

I evaluate customer service and technical support as excellent. Anytime that we've had an issue, we've been able to engage with Splunk support, and we also have agreements with some other folks that help us out, some private organizations that we leverage.

Positive

Prior to adopting Splunk Enterprise Security, we were just using Splunk Enterprise and formulating our own searches and finding stuff ourselves.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be challenging at times. It takes some of our more advanced engineers to be able to work through a lot of those processes.

The challenges with deploying something like Splunk Enterprise Security are getting the data in, knowing what data you need, and trying just to find it and normalize it. It's such a vast area and we're such a distributed organization, trying to get all that information in one place has been a challenge. 

The process to expand usage has been smooth.

I have absolutely seen a return on investment with Splunk Enterprise Security. I can say that just because of the time that the analysts would take, and I can say that we have saved man-hours, which in the end is money. On average, my SecOps team takes probably at least a quarter of the time, if not more, to remediate security incidents with Splunk Enterprise Security compared to our previous solution.

Now that we can show that we're able to reduce that mean time to detection, we're getting a lot more buy in. So a lot more people are interested in that, and they're excited about that. So that really helps out.

I'm not familiar with the setup costs.

The advice I would give to other organizations considering Splunk Enterprise Security is to work with professional services. It's a large undertaking for your SOC, so work with professional services that have seen different examples and situations and lean on their expertise to help you develop the right solution. 

I would rate Splunk Enterprise Security overall on a scale of one to ten as probably about an eight; there's still some work to be done, however, it's the best that we can do right now.

On-premises

My main use cases for Splunk Enterprise Security are mainly building SIEM for our customers, implementing it at customer sites, and using it for our own developments.

I really appreciate the all-integrated SIEM feature of Splunk Enterprise Security, which serves as a one-stop shop to get all security tasks done. It actually helps us by not having to develop all the use cases ourselves, providing an integrated product that has everything in one place. 

It has integrated threat intelligence and an integrated use case library, so it requires only one installation and configuration. This specifically benefits my organization by reducing the implementation time at our customers, getting faster time to value with a better turnover rate for our customers.

We are using disparate security solutions that integrate or import data into Splunk Enterprise Security. We are implementing all data sources that are somehow possible, so there's no limitation to that.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is pretty straightforward. Developing our own solutions is pretty good, and even though we are using the Security Essentials and the Enterprise Security content libraries, that's a very good way to progress.

Splunk Enterprise Security can be improved with more ease of configuration. It is pretty straightforward to get it started, however, to really check if my data is all available and how to activate the right use case and the right correlations is still sometimes a hassle. A guided mode to help us understand how to get started, improve data quality, and prepare data more efficiently for use cases would be highly beneficial for us.

I have been using Splunk Enterprise Security for the best of seven or eight years now.

I have experienced downtime, however, it's very little. The downtimes are mostly hardware issues such as network downtimes, which is nothing that Splunk has a say in. If you deploy a multi-site architecture and make it fail-safe, downtime isn't an issue.

I have expanded usage a lot. This expansion has improved the process as scalability and scaling volume-wise and usage-wise with Splunk Enterprise Security was never a problem for me nor our customers.

I evaluate customer service and technical support from Splunk as perfect. I'm very confident in what the partner SEs and the Splunk Professional Service team can do. If I need to reach out to them, I get instant replies, and the Splunk community itself is very helpful as well. On a scale of one to ten, I would give it a ten.

Positive

Prior to adopting Splunk Enterprise Security, I was using another solution to address similar needs. We were using Splunk Core with our own developments and helped several customers migrate away from products QRadar and FortiSIEM, however, our main go-to platform is still Splunk Enterprise Security.

My experience deploying Splunk Enterprise Security is all in all pretty straightforward. If you are used to how to set it up, it's very good.

I have seen ROI with Splunk Enterprise Security. 

One example is a situation with a customer where we started installing it and actually found active breaches that were short of being used and leveraged for maybe blackmailing or compromising the customer. We couldn't calculate what would have been the cost if they had actually gotten compromised; however, they were in the process, so every investment was returned immediately. It was definitely significant.

My experience with pricing, setup costs, and licensing is a bit difficult. There are competitors that are more cost-effective. That said, for the feature set that Splunk offers, it's okay. It is on a solid foundation, so there could be more rebates and opportunities for us as a partner to offer it to our customers. Still, it's competitive.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are primarily related to customer pricing concerns. I find it's okay for a premium product on top of the Splunk base, however, the pricing is one thing, and I don't know if it's the same for all regions. We specifically sometimes have difficulties getting a smaller license than the Splunk Core one if we don't want to ingest all the data into Splunk Enterprise Security.

My advice to other organizations considering Splunk Enterprise Security is to try it if you don't know about it yet.

On a scale of one to ten, I would rate Splunk Enterprise Security overall as an eight. Sometimes it is a bit hard to get the searches and the data done, but all in all, it's a great product.

On-premises

Microsoft Azure

My main use cases for Splunk Enterprise Security are detection and investigation.

Splunk Enterprise Security has helped improve my organization's business resilience.

I never liked Splunk Enterprise Security much until the new version, and now that they've ramped up RBA and made changes in version eight, I prefer it much better. 

Splunk Enterprise Security streamlines the creation of what they call notables, which takes a lot of the effort that we would have to put into creating our own solution off the table and does it for us.

We haven't made the newspaper yet, so Splunk Enterprise Security is doing its job. That integration supports my security operations very efficiently, or we wouldn't use it. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security effective. That's my bread and butter.

My organization uses risk-based alerting in Splunk Enterprise Security. The SOC is still in the development and testing phase for RBA, so they're not seeing any risk-based alerting yet. Within the next week or two, they should start seeing it.

I have no idea how long on average my SecOps team takes to remediate security incidents with Splunk Enterprise Security. I am not using any new threat detection features in Splunk Enterprise Security since we write our own correlation searches from scratch.

Regarding Splunk's ability to predict, identify, and solve problems in real-time: prediction capabilities are not present at all, identification is pretty good, and resolution is effective. It's a good tool. We've got really amazing people behind it, using it, and although there are only four of us behind it, we've got really amazing people using it.

Splunk Enterprise Security is not exactly user-friendly. The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are assets and identities, which are a pain in the neck, and the documentation for RBA is horrible. 

They've got it now to where it pretty much deploys itself as long as you know what you're doing, yet it does some really weird and impractical things such as putting file extensions on lookup tables that shouldn't be there, which you have to go in and clean up. It's got some quirks that aren't documented, or not all documented.

I have been working in this field for ten years and using Splunk Enterprise Security for eight.

I have not experienced any downtime, crashes, or performance issues based on Splunk Enterprise Security.

We've expanded our license dramatically since the merger, and Splunk Enterprise Security handles it just fine. It's not really affected by scale; the infrastructure it sits on is affected by scale, however, the software itself isn't.

Regarding customer service and technical support, their support is the worst I have ever run into in any industry. On the front line, they put people who don't know what they're doing, refuse to escalate, and are not helpful. 

When we go to Splunk support, we've already done everything and are really good at what we do, however they make us do it over again or won't help us, and that's enough.

Neutral

Way back in the day, we used QRadar, however, as soon as we converted to Splunk, we bought Splunk Enterprise Security with it.

They've got it now to where it's pretty much as long as you know what you're doing, it deploys itself. However, it does some really weird things, like putting file extensions on lookup tables that shouldn't be there, that we have to go in and clean up. 

It has some quirks that aren't documented or aren't fully documented. That's Splunk. They're not good with documentation. If you conduct thorough testing in a development or testing environment, you'll find 99% of what doesn't work and be prepared for it, ensuring that it does. 

We have seen return on investment with Splunk Enterprise Security, and we're getting our money's worth. It streamlines the creation of what they call notables, which eliminates a significant amount of the effort that would be required to create our own solution, allowing us to achieve a good ROI.

I considered the change initially due to a better product, as it was an evaluation of a better product for a better price back then.

My advice to other organizations considering Splunk Enterprise Security is that unless you're really big, don't spend the money. On a scale of one to ten, I rate this solution an eight.

On-premises

My main use cases for Splunk Enterprise Security have evolved over various roles, primarily focusing on the correlation of external threat intelligence in the notables existing in Splunk Enterprise Security, where we currently emphasize making it easier for our customers to bring in external threat intelligence such as from Recorded Future and correlate that against their entire telemetry to create notables indicative of alerts that could have been missed through traditional defenses.

The feature I appreciate the most about Splunk Enterprise Security is the CIM data model, which allows users to bring in data from different technologies, such as firewalls, endpoints, and perimeter DMZs, enabling every device to pump data into Splunk Enterprise Security, with the data model normalizing all the data and placing it in a common plane.

The main benefit of Splunk Enterprise Security features is the increased visibility of our data itself since we can pump in all the data from every security device within our enterprise, providing comprehensive visibility in a single pane of glass without needing to check every tool for individual alerts, allowing us to identify outliers and anomalies easily and build detection rules across multiple technologies.

Splunk Enterprise Security's risk-based alerting has been a game-changer for us. Previously, we were flooded with many alerts, leading to alert fatigue; now, risk-based alerting adds intelligence to alerts by considering behavioral or internal asset-based criteria, effectively helping us prioritize alerts and filtering out noise that can be ignored.

When it comes to leveraging Splunk Enterprise Security's dashboards and visualizations, we struggle to communicate our security posture effectively to leaders such as the CISO, yet Splunk Enterprise Security provides the ability to create tailored reports from generated data using correlations, macros, and specific metrics such as MTTR or MTTD, allowing us to convert this into strategic or tactical-level reports sent directly to the CISO for situational awareness.

Splunk Enterprise Security assists our SOC team in prioritizing and investigating high-fidelity alerts effectively after we triage and identify them; there are various ways to dig deeper, either by building search queries that expand the scope to other data sources or using adaptive response actions to gather additional context, aggregating everything inside Enterprise Security for a comprehensive investigation.

While Splunk Enterprise Security is powerful, it presents significant complexity for users, as it's not particularly user-friendly for beginners. I recommend focusing on building user-driven guided workflows to help newcomers navigate and efficiently use the platform through simple guides. 

I also see room for improvement in the integration of Splunk SOAR, which currently has some limitations regarding its data use in downstream playbooks.

I have been using Splunk Enterprise Security for approximately seven to eight years, starting even before my current role.

I find Splunk Enterprise Security to be generally reliable and stable, as we haven't experienced issues with downtime or crashes despite having a single-node cluster, which has been sufficient for our operational needs.

One of the main reasons we moved to Splunk Enterprise Security is its ability to scale with our growing needs, as it easily accommodates additional compute and storage, and even for on-premises deployment, it simplifies the process of adding those resources as we expand our telemetry.

I would give Splunk customer service an okay rating since they handle standard queries with clear responses; however, the experience can vary when tailored queries arise, sometimes leading to delays in communication, which highlights areas for possible improvement.

Neutral

Before adopting Splunk Enterprise Security, we relied on a couple of open-source tools, yet soon realized they weren't scaling to our needs, prompting the decision to switch to a more scalable solution backed by support.

From my point of view, the biggest return on investment when using Splunk Enterprise Security comes from its flexibility to bring any data into the platform for visibility, which is hard to achieve with other platforms; this capability, combined with features such as UEBA and risk-based alerting, reduces the need for full-time employees in my SOC while allowing easy integration with external threat intelligence to reveal hidden threat patterns, resulting in reduced MTTD, MTTR, and enhanced situational awareness.

I don't directly handle pricing, yet my experience indicates that Splunk tends to be on the expensive side as a SIEM platform, so I suggest users consider a phased deployment starting with Splunk Cloud or Splunk ES and then expanding capabilities over time rather than embarking on a full deployment initially.

In our strategy to combat insider threats and advanced persistent threats, Splunk Enterprise Security plays an important role with its UEBA features, helping us identify outliers from baseline behavior that assists in detecting anomalies or insider threats that may otherwise slip through traditional defenses. 

I advise organizations considering Splunk Enterprise Security to proceed if you are already a big Splunk shop with an underlying platform deployed, as it seamlessly integrates with your existing data and allows easy onboarding of additional technologies within the Splunk ecosystem without additional overhead. 

Considering the overall performance, I would rate Splunk Enterprise Security as an eight out of ten, recognizing it as a powerful platform within our SOC toolkit.

On-premises

Splunk Enterprise Security by our SOC organization to aggregate and triage alerts used to identify IOCs.

Splunk Enterprise Security has a strong feature set that helps identify, and solve problems in real time.

The benefits of those features for my organization, more specifically, are that it prevents us from being hacked. 

The features of Splunk Enterprise Security that I prefer most are the correlation engine and the common information model, basically the aggregation of data. It's usually designed to take all the data, normalize it into a flat schema, so you can then see patterns more easily. That's the significant aspect.

The problem with Splunk Enterprise Security generally, is that organizations strugle to fit into their cultures and workflow. For better outcomes, companies have to fit their internal processes to how the tool has been designed. At times, this can be too complex to run, has high overhead requiring constant tuning. Newer versions e.g. 8.3, hint at greater ease of use.

I have been working in my current field for around 12 years.

Reliability is all about the care and feeding of it. I have not experienced downtime, crashes, or performance issues with Splunk Enterprise Security.

I would evaluate customer service and technical support as an eight on a scale of one to ten. Splunk Cloud's support is not bad. However, there's a gray area between what they do and what they don't do. What they don't do is the blind spot for most enterprise customers; they don't realize they have to handle certain responsibilities. There's a shared responsibility.

Positive

Setup can be complex. Splunk has specific guidelines. Do your home work and read their SVA architecture and capacity manuals. 

And always read their release notes.

My experience with pricing, setup costs, and licensing for Splunk Enterprise Security is limited. The unit cost of Splunk Enterprise Security is slightly less than the core product. 

My advice to other organizations considering using Splunk Enterprise Security is to do your homework. Attend industry peer sessions and learn from other organizations. Splunk's partner program, RBA Community offer compelling resources for new customers.

I would rate it an eight out of ten.

Public Cloud

Amazon Web Services (AWS)

My main use cases for Splunk Enterprise Security are being able to take our noisy level detections and using features such as risk-based learning that are built into Splunk Enterprise Security, and bubble them up into one larger alert, which makes it easier for us to go after and find adversaries throughout our network.

Splunk Enterprise Security has reduced our meantime to detect. Especially when we switched to RBA. We've seen our noticeable RBA mean to detect a decrease. I don't have the exact number. That said, it definitely has that potential and it's definitely worked in our implementation.

I really love the identity and asset lookups, being able to pull that identity data in and be able to enrich our alerts that are going through. Finding next-level managers, locations, and being able to build out a bigger story for our analyst as they receive these alerts is a huge functionality that I personally love the most.

The identity lookups have definitely benefited our company because it takes that guesswork of looking in other utilities and brings that live data of who our employees are, what their job titles are, and be able to build out the story of what's going on. If we have someone who works as a data analyst accessing sales data, sales information, that's a huge red flag for us so we're able to make an intelligent decision and respond faster by having that data available.

Splunk RBA or risk-based alerting definitely made our lives a lot easier. We went from hundreds of alerts having to be triaged a day, that generally could be false positives or just noise, and bubble them into one overall alert that we can look at on a per-day basis and see what's rising to the top and respond faster, have a higher rate of true positives and find evil a lot quicker.

Splunk Enterprise Security helps us look at high-fidelity alerts a lot quicker because we're using RBA. It's taking the sum of those small alerts that would be generally noise, combining them into a larger picture, boiling them up to the top and letting our analysts then focus on those, which generally have been the true positives of those malicious actors who are impersonating users or accessing through our network and be able to respond a lot quicker.

The way Splunk Enterprise Security could improve is by pulling in and mapping my DHCP data and tracking users' IP addresses as it changes throughout sessions, and being able to keep track of who is actually assigned to what IP address more natively.

I have used Splunk Enterprise Security for about 14 years.

Splunk Enterprise Security is so easy as it scales with us as we grow. As we throw more data sets at it, we can increase our indexers in order to accommodate that, and we know that the data is going to be searchable, ready and available in an instant.

When I talk about Splunk customer support, I'm talking about world-class support. 

They are so easy to get a hold of, they're so knowledgeable and they don't accept 'I don't know.' They'll say 'Hold on, I will go get the next person who does know this' and you'll get the answer very fast. 

That, plus the community members who are writing answers to your questions, there's really not a time when you are going to say 'I don't know,' or you don't walk away with the answer on that day.

Positive

Prior to using Splunk Enterprise Security, I had previously used other SIMs that weren't nearly as advanced or up to the task to be able to input that data in our needs at the time. Splunk really answers the question of the do everything platform. 

Deploying Splunk Enterprise Security is actually a really easy task. The onboarding steps that they provide throughout the GUI have become super simple. 

The documentation through Lantern has been invaluable and can really answer any questions that we had. It really made the setup go from what seemed like it was going to be a tedious job to something that was really easily done in an afternoon. And then it gave us steps going forward on what to do in order to get the full value of it.

For me, the biggest return on investment when using Splunk Enterprise Security is being able to feed any data I need, knowing that data's going to be readily accessible, usable multiple times throughout my organization and I can even bring in non-security individuals to be able to access their data since our back controls that are in Splunk Enterprise Security.

The advice I would give to other organizations who are considering Splunk Enterprise Security is to just do it. It's honestly one of the best investments you'll make. 

You'll start noticing the return on investment really quick. You'll start to notice answers that you did not know you had to questions that didn't exist. You'll start to notice your meantime to detect goes down as you start implementing RBA and embracing the Splunk base itself. 

On a scale of one to ten, I would rate Splunk Enterprise Security a solid ten. It answers questions you didn't even know you had, and as you drill through the dashboards and go through the different features that are available, you start to realize all this available information that's there that you didn't even know your data had those answers to. It really starts bringing that value within your first 30 days of using it.

Hybrid Cloud

Amazon Web Services (AWS)

My main use case for this solution is to detect threats.

The features I appreciate the most in Splunk Enterprise Security are the scheduled alerts and the search function. 

The other SIEMs were more menu-driven, similar to Yahoo in the past. With Yahoo, you would navigate to find restaurants in San Francisco. Splunk Enterprise Security operates more with a 'tell us what you want and we'll find it' approach versus directing users to look in specific directions. It is very hunt-friendly. 

We are able to prevent breaches with Splunk Enterprise Security. 

Integration supports our security operations since our analysts operate within Splunk.

Additional features could be included in the next release. The specific functionality I'm looking for relates to alerts and false positives. If we want to filter alerts, currently it's a very manual process. We identify IP addresses and usernames and must manually filter them. It would be beneficial if we could simply click a checkbox to filter and automatically add it to the search, then save it immediately, instead of the time-consuming process of cutting and pasting, which isn't efficient. 

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is maintaining balance in search parameters. Creating searches that aren't too narrow to miss threats, yet not too wide to generate excessive false positives is crucial. When determining recurring false positives for filtering, junior analysts who aren't coders must edit code-like elements. This introduces unnecessary risk when they could simply check a box to filter.

I have been working in my current field for 33 years.

I would assess the stability and reliability of Splunk Enterprise Security to be generally acceptable. Some performance issues occur with historical, long-distance searches spanning three to six months, however, these are very rare searches that we perform.

Splunk Enterprise Security scales effectively with the growing needs of my organization because we've never had an issue with it. I don't know if the technology team expands usage significantly, but we've used Splunk Enterprise Security for a long time. The expansion process is so smooth it's barely even a process.

I would evaluate customer service and technical support as frustrating at times. It was similar to experiences with other companies, where they would explain why issues occurred instead of solving them. It took time to reach the right individual who would solve the problem, however, these instances were infrequent.

Neutral

Prior to adopting Splunk Enterprise Security, I worked at a previous job where they had a different SIEM that was inadequate, so we implemented Splunk Enterprise Security. At my next job, they already had it installed. If they didn't have it, I would have brought it in during the first month. I cannot name the previous solution as it was approximately 15 years ago and was a second-tier provider, not QRadar or other well-known solutions from that time.

My SecOps team has never had a previous solution to compare how long it takes to remediate security incidents in Splunk Enterprise Security. When I arrived, they had a developer license and decided to use it going forward for all security purposes. My team has no experience with other solutions.

I have not seen a return on investment with Splunk Enterprise Security. It's similar to having a car. It's a necessity. I don't have to prove to the business executives that it provides return on investment. It's a necessary function and a must-have.

I am aware of the pricing, setup cost, and licensing for it. I don't handle pricing because the primary user is the cyber team. The owners of all technology are the technology team. I inform them we need this solution, and they handle acquisition and management.

We use multiple best-of-breed products to provide data to Splunk Enterprise Security for correlation and malicious activity determination. 

My organization does not use risk-based alerting in Splunk Enterprise Security. We use third parties for threat detection features. 

Splunk Enterprise Security's impact on business resilience is unclear as we use it exclusively for cyber purposes. 

My advice to other organizations considering Splunk Enterprise Security is to use it. 

On a scale of one to ten, I rate this solution a nine.

On-premises

I have worked extensively with Splunk Enterprise Security for centralized log ingestion, security monitoring, and detection engineering. My objective is to improve enterprise visibility, reduce alert fatigue, and operationalize attack detection that is capable of identifying authentication abuse with lateral movement, PowerShell misuse, and privilege misuse in Linux environments and suspicious network activity.

My recent project focused heavily on enterprise security engineering and detection engineering, IAM Governance Analysis, which is identity and access management, cloud security operation, and resilience validation. This platform aligns directly with the areas I am actively expanding deeper into. At the end of all my logs and documentation, I link them to MetaTask, ISO 27001, and SOC 2. I have a couple of frameworks I use to analyze all of these topologies.

I was able to reduce unmanaged firewall exposure from over five thousand rows to eight hundred and fifty significantly. This was one of my enterprise projects I did on Zero Trust Security, all documented on my LinkedIn portfolio.

I appreciate the reporting features of Splunk Enterprise Security, where it enables me to document each of my telemetry. If I have an alert for a brute force attack, I can document a report on those logs and send it via email or any platform I want to share it on. I appreciate the reporting process and the alert features. Recently, I worked on onboarding Windows event logs and was able to correlate these logs with six months of telemetry, Linux authentication logs, firewall telemetry, and DNS activities into Splunk Enterprise Security. I developed correlation searches and behavioral detection that I used to align to MITRE attack techniques, including good fall detection, privilege collection monitoring, suspicious authentication analysis, and DNS abnormality detection. I also created detection to reduce false positives and improve operational reliability while integrating a reasonable workflow using Python automation for faster incident tracking. I was able to create those logs, and everything was displayed on my dashboard. The improvements reduced false positive investigation workloads significantly, improving security operation center visibility across my enterprise environment, and reducing the mean time to detect to ten minutes in a simulated enterprise environment scenario. Those are the results I have had so far in my enterprise environment.

I have solved issues during one of my enterprise security tasks where I identified excessive firewall rules, which are documented on my LinkedIn portfolio, and an unmanaged access pathway that created unnecessary attack surface exposure across my environment. The challenge was to identify still rules to validate legitimate traffic requirements and reduce unnecessary exposure without disrupting my operational workflow.

Splunk Enterprise Security has helped me detect threats faster. It has helped me reduce my team's average mean time to resolve metric. I estimate it has improved detection speed by eighty-five percent because ninety percent of my projects are essentially on Splunk, making it one hundred percent effective for my team. Splunk Enterprise Security Essentials has contributed to a reduction in analyst burnout or fatigue.

It has improved the daily work experience and retention in my security team. Using structured workflow management, it improves my operational coordination, accountability, and the visibility into the remediation process across multiple security initiatives. It has improved my ability to preemptively block threats in vulnerability management workflow and governance activities, including documenting investigations and findings, and how I assign remediation ownership. It has increased my risk ownership, improved tracking escalation status, and monitoring completion timelines.

It has changed my approach to proactive defense across both consulting and enterprise operational projects, affecting how I track remediation activities and investigation workflows, which are important for maintaining operational visibility and accountability. It has improved my operational understanding of TCP and IP behavior, attack traffic reconstruction, segmentation validation, and network-based detection engineering across the enterprise environments I have worked with. It has improved productivity in how I perform packet-level analysis using Wireshark and PXS telemetry to inspect XMB traffic, RDP sessions, DNS activities, authentication flows, and simulated lateral movement patterns.

Splunk Enterprise Security can improve in the UI UX interfaces, but for the rest, I am very comfortable with the reporting, dashboard, alerting, search, and reporting features. From the rating perspective, it could be enhanced.

I have used Splunk Enterprise Security for two years.

Splunk Enterprise Security is stable; I have not troubleshot anything since it has worked for me. When I perform actions such as brute forcing my machine, it logs correctly, and queries I run return logs as fast as one minute ago.

I believe Splunk Enterprise Security has all the features any organization could need. If the engineer knows what they are doing, it can adapt to scale, generating and importing logs without issues for different sizes of enterprises.

I have not communicated with the technical support of Splunk Enterprise Security.

I tried Google Sentinel before choosing Splunk Enterprise Security, but it did not suit my needs, so I had to try something else. When I got to Splunk Enterprise Security, I found it satisfactory enough not to switch to another option.

I participated in the initial setup of Splunk Enterprise Security.

I had to go to the website first, create an account with my email, and then download either the enterprise version or Splunk Forwarder. In my Active Directory, I have my forwarder installed, and on my server machine, I have the enterprise installed. With one account, I was able to configure my port number and destination port, hosting it on localhost. I connected other components to the service with the appropriate configurations.

From a technical perspective, the initial setup was not difficult for me to navigate through.

For a non-technical person, it may be challenging, but for a technical person, it is straightforward. The process is effective.

For return on investment, I think a large corporation would not have an issue with that. For small-scale enterprises, they may need to review those areas more, particularly related to user rates.

I used to analyze and log manually as a SOC analyst would before using Splunk Enterprise Security.

Splunk Enterprise Security represents a fair price for what it can accomplish. I would rate this product a ten out of ten.

On-premises

Other

My main use cases for Splunk Enterprise Security include detection engineering tasks. I work with the SIM team handling various responsibilities, specifically ensuring uptime availability and correct log ingestion.

Splunk Enterprise Security has helped improve my organization's business resilience. We have definitely been able to get significant value out of it.

As an administrator, I mainly ensure other people can use the system effectively rather than using it extensively myself. 

My impressions of Splunk's ability to predict, identify, and solve problems in real time are solid. I definitely notice when it makes predictions and helps with what we're trying to find in general. The ability to identify risks as they come in is quite good.

The integration of disparate security solutions supports our security operations by providing multiple methods to handle things. We have 21 lines of business with different Splunk pods, each requiring different solutions.

Personally, the integration creates some challenges, particularly when trying to standardize processes and migrate to Splunk Cloud. Managing different Splunk pods on-premises and separate stacks leads to confusion and time inefficiencies.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security works adequately. While I don't write the detections myself, I work closely with those who do, and it doesn't seem to be an issue.

Our Security Ops team's incident remediation time has improved significantly. Previously, it took approximately 11 hours, but now it takes a few hours, though we're still working to reduce this time further through our migration to Splunk Cloud.

There are ways Splunk Enterprise Security can be improved, though I might be speaking specifically about my organization's implementation. Better education for users would be beneficial as they often don't know what they don't know or how to look for certain features.

Regarding ease of use, Splunk Enterprise Security is adequate. The challenge arises when we have multiple users trying to differentiate between the regular search head and the Enterprise Security search head. While users can accomplish their tasks, the main issue stems from education rather than the platform itself.

I have been using Splunk Enterprise Security for three years, with a six-month break in between. I have been using it extensively for the last year.

The stability and reliability of Splunk Enterprise Security is very good. While we've experienced some downtime, crashes, and performance issues, these were caused by end users running poorly optimized queries rather than system problems.

Splunk Enterprise Security scales effectively with our organization's growing needs. We haven't encountered any problems with scalability.

I would rate customer service and technical support from Splunk at nine out of ten. I have had nothing but good experiences with Splunk support, receiving timely and helpful replies. In one instance, when I needed immediate support, I received a call within ten minutes of submitting the ticket, and we resolved the issue promptly.

Positive

I am uncertain if my organization used another solution prior to adopting Splunk Enterprise Security. I believe we have been using Splunk the whole time, but this predates my joining the team.

The deployment is fine. I don't really have much of a problem with that end of things.

I have seen a return on investment with Splunk Enterprise Security.

I am not familiar with the pricing of Splunk Enterprise Security. Regarding licensing, we face some challenges. The management of different pods makes it confusing and complicated, but it gets resolved by our senior team members.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. We utilize many different tools.

I would advise other organizations to consider Splunk Enterprise Security as it's an easy solution to implement and effective for its intended purpose.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

On-premises

Other