Splunk Enterprise Security Reviews

My main use case is for log management and checking the logs. We have rules running in Splunk Enterprise Security. We are using it as a main SIEM solution for our customers.

Alert fatigue is a common issue with security solutions, but Splunk Enterprise Security reduces alert fatigue. When we encounter real incidents, we get to dive deeper to check out the main cause of that incident. It is useful because it reduces alert fatigue.

The best feature of Splunk Enterprise Security is the documentation. Splunk Enterprise Security's documentation is well-organized. For example, if you have a problem or if you want to read about what you're looking for, you can easily go there and read from the documentation. It also has many resources worldwide. It is a de facto standard of the SIEM solutions. For example, I have used IBM QRadar, which is another solution many companies are using.

One of the most beneficial use cases for me is that Splunk Enterprise Security is fast. I cannot speak to how the SIEMs work in the backend, but I can say it is fast to find any logs. 

Its UX and UI experience is getting better. It is much better than one year ago. Some of the buttons and other features are much easier to locate and choose. The user interactions are much better than one year ago. The advanced queries are much faster. The UI design is much better. That is one of the best changes that happened in one year.

AI is an area that has room for improvement in Splunk Enterprise Security. I would say that AI plays a significant role in many of the cybersecurity tools I've used, not just Splunk. Many AI tools offer some form of assistance. By "AI assistance," I mean that while AI may not have complete knowledge of all customer flow data, it can still help engineers who often encounter unfamiliar situations. For example, during incidents, a large volume of logs can be generated, and it can be difficult to analyze all of them in a timely manner. In such cases, AI tools can be beneficial, even if they are not universally applicable. Certain events, like denial-of-service attacks, can result in massive log flows, which complicate detection and response efforts. Additionally, there may be similar collective issues affecting multiple customers.

Many cybersecurity tools incorporate some limited AI capabilities, which can assist operators. For instance, if a specific endpoint security issue arises with a customer, AI can help identify potential causes and suggest improvements. In my experience, most cybersecurity operators and companies rely on security tools that may not offer full-fledged SIEM solutions but do provide integrated security functionalities such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). My expectation is that even small, incremental integrations of AI will significantly enhance these tools' effectiveness.

I have been using the solution for approximately one year. I used it for 12 months in the company.

It's stable. I would rate it a ten out of ten for stability.

The scalability of Splunk Enterprise Security rates as an eight out of ten. I have not used the scalability option, but I would say the other procedures and processes are flawless. Scalability might be the same.

I have not reached out to their technical support because whenever I have an issue, I use the documentation rather than reaching out to technicians. When there is an issue, people need swift assistance to solve it. People do not want to wait, so I mainly use the documentation.

I have worked with other SIEM solutions. Splunk Enterprise Security is great but can have some frustration points. It can sometimes be slower to use. On the other hand, when I use IBM QRadar, it rarely experiences slowdowns, especially when using the Incident Command Module (ICM). In the case of Splunk Enterprise Security, the speed might be affected by the number of systems in use or possibly due to how the security engineers configure it. As an operator, I find that the speed is a reason I would rate it an eight out of ten. Overall, it's very fast and accurate, and the user interface is excellent for various uses, such as querying data. However, I do notice that it can be slightly slower compared to other large enterprise solutions.

Most of the time, it is deployed on-premises. We don’t rely heavily on cloud solutions, although we have explored them a bit. Our customers, particularly in the financial industry, tend to prefer on-premises systems due to their concerns about cloud security.

Having good documentation is helpful for deployment. If the documentation is lacking, it can be challenging. The ease of navigating the systems really depends on a person's experience. 

The duration varies depending on the company. I can't give a specific answer because it depends on several factors, such as the number of people working in the system, the number of endpoints, and how many on-premises servers are running. In my case, I haven't experienced a full deployment, as I've only deployed a few endpoints and on-premises services. This process took just a couple of days for me, but I haven't dealt with a large-scale on-premises deployment. When I joined the company, they were already using Splunk for various on-premises services, so I haven't gone through a complete zero to one hundred type of scenario.

Splunk Enterprise Security absolutely requires maintenance, but I don't deal with maintenance. It needs maintenance, but I have not encountered much of it. 

From a return on investment standpoint, Splunk Enterprise Security saves a lot of time. I have used other SIEM solutions, and they are not so great. They create lots of exhaustion and frustrating periods of checking queries, and the response times are slower. This leads to a lot of frustration because many companies don’t rely on just one SIEM tool; they often use multiple alternatives simultaneously.

The documentation for Splunk Enterprise Security is outstanding. It is well-organized and easy to access. You can simply go to the Splunk documentation website, search for what you need, and by the end of the day, you’ll have a great solution for any issue you encounter with Splunk Enterprise Security. In contrast, other SIEM tools often lack this level of documentation, which is quite disappointing. 

Splunk Enterprise Security also excels with its user interface. It is easy to navigate and integrates seamlessly with other services, which is a significant advantage. You can easily search for solutions, try out different features, and create reports.

As a security operator, one of our main responsibilities is writing reports. If an issue arises, clients will often ask, “What happened around noon? Can you explain the main issue?” Other SIEM tools can make it difficult to find the appropriate buttons or functions to navigate and analyze these incidents. However, with Splunk Enterprise Security, you just look up the documentation, write what you’re searching for, and apply the same rules in Splunk Enterprise Security. Everything is easy to follow, and the system works effectively. In summary, I would say that the well-documented guidance is one of the most valuable aspects for saving me time.

I have not used the advanced correlation capabilities so much because mainly all of them are running. Specifically, I have not gone very deep into the use case of Splunk Enterprise Security. I have used advanced queries a couple of times. For example, there was a sort of attack, a false positive attack. We had to check out all the timelines or block queries to find out what might have happened or what the reason was for the false positive. I used that and it is quite fast.

I have not used the risk-based alerting feature. It is more for log management and checking the log flow. 

Whenever you want to apply for any exams, such as the SOC exam or Blue Team certification exams, they mainly ask for Splunk rather than other SIEM solutions. For me, it is overall the best SIEM solution to use.

I can recommend Splunk Enterprise Security to other users. It is fast and well-documented. User interface and user interaction are well-designed compared to other SIEM solutions. It is a great SIEM tool.

I would rate Splunk Enterprise Security an eight out of ten.

Our main use cases for Splunk Enterprise Security include security, detection, and incident response.

The data model benefits our organization by making it easy for the team to get data into Splunk, and field tagging is particularly helpful.

The features of Splunk Enterprise Security that I most appreciate are CIM, the data model, the search capabilities, and the investigation feature embedded into Splunk version 8.

The investigation feature helps the team seamlessly put everything together, providing a consistent view of all relevant artifacts for incidents.

Splunk's ability to predict, identify, and solve problems in real-time is exceptional due to its ease of data ingestion and comprehensive search capabilities with various options.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be excellent, especially with the new Mission Control included in Splunk Cloud version 8. It is really easy to use.

We are sending data directly to Splunk Cloud without any broker or pipeline in between. Our organization does not use risk-based alerting in Splunk Enterprise Security yet, and our SecOps team has not measured incident remediation times compared to our previous solution.

I would advise other organizations considering Splunk Enterprise Security to check their business case, considering the number of systems and amount of data to determine if it is the right tool in terms of the licensing model. If they decide to implement Splunk Enterprise Security, getting professional support is crucial.

One of our decision drivers was the customer support, which we found to be very responsive based on feedback from other customers. Additionally, the ability to extend the license for IT-related topics provides flexibility to leverage the platform across all departments, not just security - a unique feature compared to other SIEM tools.

Splunk Enterprise Security can be improved with better triage capability and less dependency on running SPL searches, which would allow analysts who may not have much experience in writing SPL searches to still use the tool and run investigations.

We are still at the beginning, just four months into using Splunk Enterprise Security.

I assess the stability and reliability of Splunk Enterprise Security as generally good. We had a few glitches, but nothing serious, and when we needed to raise cases with the support team, they were quickly resolved, particularly an issue on the indexer level.

Splunk Enterprise Security scales effectively with our growing needs. As a global organization, we first started with three regions, and when we were about to move to include the last region, it was easy to increase the license and onboard the new region seamlessly.

I would evaluate customer service and technical support for Splunk Enterprise Security as excellent, particularly our sales representative, who is exceptional. On a scale of one to ten, I would rate customer service and technical support as a nine.

Positive

Prior to adopting Splunk Enterprise Security, we were using QRadar from IBM, but we wanted a modern and state-of-the-art SIEM, which led us to choose Splunk Enterprise Security.

The deployment was the best that I have gone through so far. We had the professional support, which is something I recommend everyone do, which is like introducing Splunk and having the Splunk professional support personnel advising and supporting through the implementation phase.

We had professional support, which I recommend to everyone introducing Splunk Enterprise Security, to have professional support advising and supporting them through the implementation phase.

The return on investment from Splunk Enterprise Security is still to come.

My experience with pricing, setup cost, and licensing for Splunk Enterprise Security was positive. We had an excellent sales representative. The licensing model was fair and good compared to other tools we evaluated. The storage-based licensing was the best model that fit our requirements, though it may change as we evolve and ingest more data.

I rate this product seven out of ten. Nothing is perfect, and there is still room for improvement.

Splunk Enterprise Security serves as our security tool, specifically functioning as a SIEM product.

Splunk Enterprise Security's best features include scalability, reliability, and extensive integrations.

The RBA in Splunk Enterprise Security helps us considerably because there are rules that we cannot turn off, but they are spammy rules that we can whitelist. We group them as intermediate findings, making this risk score useful. It saves us time because instead of working on 1,000 alerts per day, we focus on two or three alerts and simply review their impact on our organization.

With Splunk Enterprise Security and our SOC team, we have developed custom rules that adjust the risk scores based on our observations, not merely Splunk's recommendations. It helps considerably because it groups the alerts, gives us information about related alerts, and provides excellent features such as drill-down searches and dashboards, which save our time and decrease mean time to respond and mean time to detect.

Overall, Splunk Enterprise Security has reduced our MTTR by approximately 30%. That reduction applies to both response and detection.

Our dashboards and visualizations in Splunk Enterprise Security communicate our security posture to executives effectively, as they are more interested in numbers and money saved rather than technical details. The visualizations allow us to present why they spend money on this solution, and we can create engaging visual stories for them based on the dashboards.

The area for improvement with Splunk Enterprise Security is support.

The knowledge base could also be improved.

Beyond support, the pricing tier of Splunk Enterprise Security could be better, as it is an expensive solution; however, the cost reflects the value delivered.

I have been using Splunk Enterprise Security for more than eight years.

For stability, I give it a ten.

In terms of scalability, I also rate it a ten.

On a scale from 1 to 10, I rate support for Splunk Enterprise Security at a six.

My experience deploying Splunk Enterprise Security is straightforward; I am a certified Splunk architect, which is the highest certification. Based on the documentation, it is easy for non-distributed deployments, but it can be challenging for others with larger infrastructures.

In terms of deployment time for Splunk Enterprise Security, it takes approximately 15 minutes.

For my clients, there are over 200 people using Splunk Enterprise Security.

In my company, we have approximately 30 specialists.

Regarding Splunk Enterprise Security deployment, we utilize both on-premises and cloud setups.

The return on investment we see from Splunk Enterprise Security is not straightforward, as it depends on the company; some may not have alerts or impacts, while others, when detecting critical alerts or threats, may realize it has saved them a million dollars. Overall, I estimate the ROI to be approximately 20% to 30%.

When comparing Splunk Enterprise Security with other security solutions, I find it to be the best as it consolidates everything in one place. They have updated it with endpoint security and admission control capabilities, allowing you to see every comment and action during an incident, which I have not seen in other solutions such as Elastic, Sumo Logic, or LogRhythm.

Since we do not work with UEBA in Splunk Enterprise Security, I cannot comment on any improvements in threat hunting and investigations. I have seen demos of it, and while it is a remarkable solution, I cannot personally answer that question. I provide this review with an overall rating of 10.

I have been using Splunk Enterprise Security for the last five years, mainly building use cases for the SOC team. My role involves analyzing logs and writing vulnerability alerts based on what I observe. When security alerts are triggered, the security team receives notifications and takes appropriate action.

For the initial deployment of Splunk Enterprise Security, I cannot say this is easy. It is somewhat complex because when you purchase the product, you have a lot of data. You need to align all of your data so that it fits Splunk Enterprise Security standards. Splunk Enterprise Security has custom data models and custom correlation searches that are already defined. You need to modify or set your data according to Splunk Enterprise Security standards. Once you complete this setup, the product is amazing and will do all of the work.

The most valuable aspect of Splunk Enterprise Security is that SIEM compliance is one of the best features. I can say this not only because it is Splunk Enterprise Security specific, but also because it is Splunk specific. All data coming in needs to be placed in the SRC field. All data will be normalized with the SRC field. Whether you are collecting data from a firewall or from numerous products, all data with the same name will be automatically collected by Splunk Enterprise Security alerts. Based on that, you can get all alert triggers and perform any kind of investigations. If something goes wrong, such as someone wrongly accessing servers, you will get everything very quickly based on the authentication data model. The alert part and security investigation part are very good.

Threat intelligence is very helpful because there is a threat intelligence model in Splunk Enterprise Security. It will identify threats from around the world and bring them into Splunk Enterprise Security. AI also helps us. When a wrong IP is detected, an incident will be created in Splunk Enterprise Security. Once you click on the "get more info" button, it will bring all information about where this IP belongs, including location and coordinates. Based on that, you can trigger security incidents and alerts.

I am very familiar with risk-based alerting in Splunk Enterprise Security. Everything in Splunk Enterprise Security is on a risk-based model. When I found an unknown IP detection one time, everything is assigned with a risk score. If I found an unknown IP one time in one hour, the risk score might be five or ten. If the same thing repeats in one hour, for example if an unknown IP tries to log in twenty times in one hour, the score should be higher. Risk-based alerting will check the notables and increase the score. When you have one hit, the risk score will be two. Whenever you have more hits, the risk score increases and the alert severity and alert priority also go high, becoming a P1 or P2 incident for the analyst. Risk-based alerting is a very good feature in Splunk Enterprise Security.

MITRE ATT&CK is helpful for Splunk Enterprise Security. I take reference from this framework whenever I want to create alerts. The first thing I do is check the MITRE ATT&CK framework and read the documentation. In MITRE ATT&CK, there are tables with many rows and columns. I check these tables and review all the alerts. MITRE ATT&CK shows the security framework and the maximum possible things that can be done to secure our platform. From that MITRE ATT&CK reference, I create alerts.

The main dislikes about Splunk Enterprise Security are that we need more highly skilled people and the license for Splunk Enterprise Security is costly. Beyond this, the infrastructure cost is too high. Since we have an on-premises deployment, it is costly for us because we need a lot of storage and a big server.

From a maintenance perspective, Splunk Enterprise Security sometimes requires maintenance because it continuously monitors all alerts and continuously creates incidents. Sometimes the data volume is high and some searches will be skipped automatically. We might have 1,000 searches and sometimes experience a lot of skipped searches. Sometimes if we modify any macro, there can also be issues. We need at least one person for maintenance who can continuously ensure that Splunk Enterprise Security is running fine.

Regarding support for Splunk Enterprise Security, we reach out many times. Initially, we purchased hardware that was not capable enough. Sometimes our server became choked and Splunk was not able to run some searches on Splunk Enterprise Security. These issues were due to hardware limitations. We called a consultant from Splunk who analyzed the platform and fixed the issues. Sometimes we upgraded our platform twice by adding additional disk space and RAM.

We have not upgraded to version 8.0 yet for Splunk Enterprise Security and are currently on version 7.0. Recently, we have a demo scheduled from the Splunk team to learn about Splunk Enterprise Security 8.0 features. However, in version 8.0 they changed everything. Initially, we had an incident review dashboard and risk management dashboard that I was very familiar with. In Splunk 10X, all the names changed and everything was restructured. Currently, I am still learning which old features correspond to the new ones. They changed many things, which is also one of the disadvantages, as the changes were extensive.

Splunk Enterprise Security has never crashed. However, sometimes there was lagging, but this was due to our infrastructure because we have an on-premises deployment. I used it in the cloud three or four years ago, and the cloud version is very stable with no scalability issues.

Overall, I can give a rating of nine for the scalability of Splunk Enterprise Security.

Splunk Enterprise Security support deserves a rating of nine.

I have never used any alternative to Splunk Enterprise Security. Before Splunk Enterprise Security, we were using Splunk for monitoring purposes, writing queries and preparing alerts. However, this is not what Splunk Enterprise Security does. A normal traditional alert can be scheduled based on Cron or similar methods. Splunk Enterprise Security collects threats from around the world and includes a threat intelligence data model. It manages identity and asset information separately, which cannot be done with our traditional approach.

For the initial deployment of Splunk Enterprise Security, I cannot say this is easy. It is somewhat complex because when you purchase the product, you have a lot of data. You need to align all of your data so that it fits Splunk Enterprise Security. Splunk Enterprise Security has custom data models and custom correlation searches that are already defined. You need to modify or set your data according to Splunk Enterprise Security standards. Once you complete this setup, the product is amazing and will do all of the work.

The mean time to resolve in Splunk Enterprise Security will increase. On other platforms, whenever you create alerts, you only need to see what is there and then troubleshoot everything. In Splunk Enterprise Security, when you create an alert, you can add many additional things. For example, once an unknown IP is detected, it will send an email, create an incident, and create a notable inside the security system. It can do many things and you can add more information. You can check a lookup, check an IP, or follow specific steps. You can add multiple steps to follow as well. All of this will be included with the alert, which resolves a lot of mean time. People do not need to go searching to find how to do things. This significantly reduces the time needed and alerts are immediate. Whenever something goes wrong, you will be notified quickly.

With Splunk Enterprise Security, we detect threats frequently. I work with a major client in the Emirates, and we find a lot of attacks happening and many phishing emails. Sometimes we have two firewalls, one is a DC firewall and one is a Palo Alto firewall, with many compliance requirements. People attempt to access these systems and sometimes send vulnerability emails. For all of these things, we are blocking and detecting with Splunk Enterprise Security and immediately notifying the candidate to not open emails or notifying our team via email.

It reduced the analyst's workload in Splunk Enterprise Security. However, after purchasing Splunk Enterprise Security, we hired more people to analyze the data. By purchasing this product, we came to understand that we can implement additional features and security rules. Our team is continuously and actively working, checking the MITRE ATT&CK framework, finding detections, and implementing them on our platform to make it more secure.

MITRE ATT&CK helps detect patterns that have occurred before.

ES Essentials is in our environment for Splunk Enterprise Security, though I have never focused much on working with it and do not know much about what it does.

Overall, I would rate this review as a nine.

At the moment, we are using Splunk ITSI (IT Service Intelligence) with Splunk Enterprise Security suite solution to create the use cases. We have criteria to create use cases in such a way that as soon as we receive a request from a customer or internally, we need to see based on the MITRE ATT&CK frameworks and techniques and tactics. Based on that, we are going to create use cases in Enterprise Security. We will consider a few things, such as what the severity is and what it is based on the group, whether it is end-user support or application support. Based on that, we will create the urgency and all.

The favorite features of Splunk ITSI (IT Service Intelligence) include the ability to define the risk score and understand how much priority we can assign. We can also define priority as critical, low, medium, or high. We can also give some filtering options during the execution time, such as filters, throttling, and mapping the fields by grouping the name and grouping the fields. Additionally, we have the feasibility to give a direct ticket to ServiceNow integration. It will create a ticket and assign it to somebody who is responsible to work on it. We are having some very good things with this solution.

Splunk ITSI (IT Service Intelligence) correlation what we are trying to do has missed a few features from the earlier versions. We previously had a chance to give complete descriptions of a particular thing and whether it is mandatory or not. However, in the new version, we are seeing something like a risk score that needs to be defined for any use case we are creating. I think that is not mandatory, but also in some areas we cannot define the risk score. At those times, in those cases, we are keeping the risk score as nominal, like one to ten. Because of that mandatory field, we are giving some wrong information to the end list.

I am using it in my career for six years.

I have never seen instability, lagging, crashing, or downtime throughout my experience with Splunk ITSI (IT Service Intelligence). We work on all production servers and production environment. We have scheduled operations, maintenance operations, and maintenance windows. During that time only, we will see if they are trying to do any activity or if they want to perform any shutdown. They plan accordingly and guide us before they are planning for it.

Splunk ITSI (IT Service Intelligence) has a good feature for scalability. We can scale it very quickly, and it is very helpful for an organization to scale up. It is having that feature and it is a very good feature.

I contacted technical support for Splunk ITSI (IT Service Intelligence). I have worked on both areas, on-premises and the cloud environment. For on-premises, based on the priority of the case, they address the issue. For the cloud environment, they will prioritize the case and give quick service.

Positive

During the initial setup a few days and a few months when I first started using Splunk ITSI (IT Service Intelligence), it was overall understandable. If somebody does not know about it, they can learn it very quickly and they can adapt to the technology.

For deployment of Splunk ITSI (IT Service Intelligence), we require two to three people based on the environment and the size of the environment. It is preferred to have two persons.

From a pricing point of view, Splunk ITSI (IT Service Intelligence) is a bit high. I was seeing one of my customers, an old customer, who are moving from Splunk ITSI (IT Service Intelligence) to other tools. The tool is Cortex XDR SIM. It is all because of the pricing. Other than the big organizations, if somebody in a small company or small to medium company wants to use Splunk ITSI (IT Service Intelligence) facilities, they are very much afraid of it because of the pricing. Also, the people who are already using Splunk ITSI (IT Service Intelligence) as a solution are checking for alternatives. For example, one of the other clients moved to another SIEM solution because of the pricing itself. It is comparatively more, and they need to think about this pricing.

I have familiarity with QRadar and SIM Nitro as alternatives to Splunk ITSI (IT Service Intelligence). I can compare QRadar with Splunk ITSI (IT Service Intelligence). My opinion is that Splunk ITSI (IT Service Intelligence) is the better one. Comparatively, I have used three SIEM tools, but Splunk has more visibility. As a Splunk engineer, we have the feasibility to integrate a lot of logs from different log sources and we can parse them. We can create custom rules. All of this provides very good visibility on Splunk ITSI (IT Service Intelligence). Log availability is also a very good thing. Splunk ITSI (IT Service Intelligence) has very good capability of storing, analyzing, and searching compared to other tools. We can create knowledge objects, such as dashboards, which is very much useful to review what we have in the system and also we can present it to somebody who is not much aware of the system. In QRadar, we do not have much scope to work on. In Splunk ITSI (IT Service Intelligence), we have a lot of things during the integration time. We have a lot of scope and also parsing, and also then utilizing the logs by creating use cases and alerts, reports, and dashboards.

My overall experience is eight years, and relevant to this field is six years. Whenever any new add-ons and integrations we are doing, we actually need to upgrade ourselves. We recently had an upgrade of utilizing Python scripting for scripting. For on-premises Splunk ITSI (IT Service Intelligence), I would give six out of ten. For the cloud solution, I would give nine out of ten. For the overall score for the support of Splunk ITSI (IT Service Intelligence), I will give seven out of ten. I am a customer of Splunk ITSI (IT Service Intelligence). I am continuing to learn on Splunk things based on different platforms, Linux, Windows, and also on cloud. So far it has been so good. It is a good journey and I am feeling positive about it. Splunk ITSI (IT Service Intelligence) is very understandable. Everybody says Splunk is a complex environment, but it is not much complex. We can adapt and we can quickly learn if anybody is starting a new journey on Splunk ITSI (IT Service Intelligence). I have thoughts on legal statements and the process of creating an account. My overall review rating for Splunk ITSI (IT Service Intelligence) is nine out of ten.

My usual use cases for Splunk Enterprise Security involve creating notables, use cases, and dashboards. We are creating the use cases as per the defense of depth in all the security layers, such as the network layer or data link layer, DLP protection, and network protection. We are using firewalls and proxy, as well as IPS, and we are using Defender as Cloud App Security of 365 and EDR. We are using Defender as a single pane of glass, collecting all the logs from all the security devices, writing the correlation rules, configuring the notables, and monitoring 360 degrees of the organization's security.

It is a comprehensive solution with many security-related features. The data enrichment feature helps identify any anomalies from devices and users. It helps identify any malicious activity patterns, risks, or login failures. 

We have implemented conditional policies where traffic from certain countries gets blocked. We are utilizing the Splunk Machine Learning Toolkit (MLTK) app to create models for automatic actions or remediation. We are trying to catch the true positive incidents and orchestrate a response. We have created two models to identify brute force attacks and user login failures.

The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics. Based on this feature, we can identify anomalies in any activity from the user or device. 

It serves as a single pane of glass for all the security-related events. It helps cross-correlate with minimal manual intervention, detect true positives, and take remediation steps in an orchestrated manner. It is very efficient. It's a top solution in Gartner Quadrants and Datamatics.

Areas of Splunk Enterprise Security that could be improved include the need for training and certifications. We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst. They should offer training based on the features we use. For any future enhancements or features, such as MLTK and SOAR platform integration, we need more visibility, training, and certification for the skilled professionals who are working.

I have been working with Splunk Enterprise Security for seven years.

This solution is stable. The platform and the applications we are dealing with are stable and maintain high availability both on-prem and cloud.

Scalability-wise, we find it comfortable. It's convenient to scale up or scale down the licenses or the components in the cloud.

When we require support from the Splunk Enterprise Security team, if we raise a request, they respond based on priority, providing recommendations or best practices as per the platform recommendations.

Positive

I work with multiple customers. They use different products, such as Trend Micro XDR. The customer I am working with right now is using Splunk Enterprise Security. It was chosen by the customer.

For deploying Splunk Enterprise Security, we follow a cluster environment for high availability and high performance, maintaining an architecture with several search heads, indexers, and forwarders. Data is pushed from all forwarders to the indexers, which are heavy forwarders where indexing, parsing, and normalization are performed. Once it is done, we search the data through search heads, with a license master and deployment server present to push configurations to all components of Splunk Enterprise Security. It's a distributed and clustered environment we are maintaining.

We have seen a return on investment. We are getting more security. We are able to secure the environment from all security threats and maintain an environment that is free from threats and attacks, especially cyberattacks.

Pricing and licensing are quite high compared to other tools or SIEM tools, but the features justify it.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We use Splunk Enterprise Security for our security monitoring and incident management. This is our global application that we are using for security monitoring and compliance.

We've seen some good improvements from a business perspective, particularly regarding security monitoring. However, when I consider our current challenges and future roadmap, I don't believe Splunk Enterprise Security has the capabilities we need. We previously faced challenges with QRadar, which prompted us to migrate to Splunk Enterprise Security. While Splunk Enterprise Security has addressed the past issues we encountered, it fails to meet our future requirements. Currently, it effectively addresses existing threats, but it doesn’t tackle advanced threats, which is a significant challenge we foresee with Splunk. There is still a lot of room for improvement.

With the Classic flavor we have in our company, the feature that I find good in Splunk Enterprise Security is from the MITRE coverage point of view, and then the level of information that it provides. The integration with its own SOAR platform is also one of the pros.

From the product point of view and deployment point of view, Splunk Enterprise Security is satisfactory. It is not simple; it is at a medium level when it comes to deployment and management of the tool altogether. This includes not only the enterprise platform but also other components such as deployment servers or the Splunk agents we use for collecting logs. When comparing it with different vendors in the industry, from the deployment and maintenance point of view, it is not up to the level of other vendors. 

When discussing the drawbacks, it's important to note that the flavor I’m currently using is called "Classic." Unfortunately, this platform does not offer any of the new features that Splunk introduces. As a result, we are the last ones to find out about new capabilities, and we’re also slow to implement them. Splunk tends to release new features with different flavors of their platform, and being on the Classic flavor means we are least likely to receive the latest updates. This is a significant concern I have regarding Splunk.

When comparing Splunk Enterprise Security with next-gen SIEMs, we look for AI and ML models being incorporated in such a way that it automatically should be able to detect behavioral-based detections. It should be able to detect behaviors from logs and show us the entire attack surface and blast radius of any particular incident, which is primarily missing.

The capability of AI, Artificial Intelligence, is missing, which would help to automatically detect and read data comprehensively. Splunk lacks the new native solutions for agent deployment, which is essential for a large enterprise.

Currently, there is Machine Learning in Splunk Enterprise Security, but that is resource exhaustive and complex, bringing an impact onto our overall stack performance. Technical expertise in Machine Learning is required, and continuous monitoring is needed to ensure Machine Learning learns about our data to provide results, which is resource exhaustive, time-consuming, and costly.

Artificial Intelligence is missing in the Splunk Enterprise Security platform, which would help us read the data automatically, learn from it, and provide attack surface area from a 360-degree perspective. The fixed pricing model requires upfront purchase based on assumptions and roadmap, requiring payment for the next two to three years regardless of usage.

I have been using Splunk Enterprise Security for around three years.

On a stability scale, I would rate it an eight out of ten.

Regarding scalability, I would rate it a seven out of ten. I don't have the pay as you go model. 

We have 150 users using this solution.

Whenever we raise any support case in Splunk, even after providing the required information, if a person is working on it and it gets transferred or handed over to a different representative in a different shift, they keep asking the same questions and requesting more details. Even when we ask for a call, even for P1 or P2 incidents, they keep going around asking for details. When we request P1 or P2 support, it would be wise to get into a call, get all the details, and have a troubleshooting call to address the issue on a priority basis. The technical support representatives keep transferring the tickets during shift handover, and different representatives ask the same questions multiple times, wasting our precious time. The issue doesn't get resolved until I escalate it to their higher management.

Positive

We were using QRadar previously. We had legacy systems, and from the volume and log source point of view, from the costing perspective and detection point of view, we thought Splunk Enterprise Security was far better than QRadar. Splunk Enterprise Security would provide better capabilities and out-of-box detections. These were some of the things that we saw, and Splunk Enterprise Security was also one of the leaders in SIEM technology. However, once we started using Splunk Enterprise Security, we discovered it was not the right tool.

The initial setup was of medium complexity. It took approximately 8 to 12 months to migrate from QRadar to Splunk Enterprise Security. 

The cloud platform we are using is maintained by the Splunk team itself. However, when it comes to our on-premises deployment, the maintenance is very high, cumbersome, and costly from both resource and time perspectives.

We haven't saved any money with Splunk Enterprise Security. Instead, we have spent excess of the budget on this with unexpected costs. That's one of the pain points I see with Splunk Enterprise Security. There haven't been any savings.

Splunk Enterprise Security comes with high fixed costs. That's one of the disadvantages. When comparing with different vendors, they offer pay-as-you-use models, which is more user-friendly, but Splunk Enterprise Security comes with fixed pricing.

We use different security tools as well.

For any user who wants to have a cost-efficient and next-gen SIEM solution, I wouldn't recommend Splunk Enterprise Security. However, if a user is not concerned about cost and is looking for an on-premises solution, then I would suggest Splunk Enterprise Security. For anyone who wants to go for a cloud and cost-effective solution with next-gen capability, I wouldn't recommend this.

I would rate it a seven out of ten.

My main use case for Splunk Enterprise Security is web uploads.

The ability to create SPLs in Splunk Enterprise Security is my favorite feature. These features benefit my organization primarily through threat detection, which I use for, so that's a huge benefit. Splunk Enterprise Security has absolutely helped improve my organization's business resilience.

Splunk Enterprise Security could be improved by incorporating AI features, as it doesn't have the AI capability that Pyramid does, where users can ask questions without having to write code.

It has been more than three years.

I haven't experienced any downtime or performance issues with Splunk Enterprise Security. Zscaler may experience issues because Splunk grabs data from them, but other than that, I haven't had anything crash.

Splunk Enterprise Security adapts to our growing needs on a yearly basis, as we're constantly growing our program and it has helped in that way. We have expanded usage from just engineering, as now our whole DLP team uses it, allowing us to not rely on other people for it. It was a smooth process when we were expanding usage.

The most significant challenges I've faced when using Splunk include getting the code right. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be good, as changes are easy to make. On average, my security ops team takes about three days to remediate security incidents with Splunk Enterprise Security, depending on what the incident is.

My advice to other organizations considering Splunk Enterprise Security is that it depends on their needs and costs, but I think it can cover everything from a small business to a large business, so I would definitely recommend it.

On a scale of 1-10, I rate Splunk Enterprise Security an 8.