Splunk Enterprise Security Reviews

Splunk Enterprise Security gives us the foundation for collecting, indexing, and analyzing data, while Splunk Enterprise Security adds more security-specific capabilities like threat detection, correlation search, risk analysis, and investigation workflows. We use it to monitor security events from different sources such as authentication systems, endpoint, and network devices. It helps us identify suspicious behavior, prioritize notable events, and investigate incidents more efficiently. The advantage is that we can still customize detection and dashboards based on our environment instead of only depending on different tools.

The best feature of Splunk Enterprise Security is the flexibility it provides when working with different types of machine data. One feature I really appreciate is SPL, or Search Processing Language, because it allows us to investigate data in a very detailed way; we can start from a simple search and gradually build more advanced queries to find patterns, troubleshoot problems, or identify unusual activities. Another valuable feature is the customization capability, allowing us to create our own dashboards, alerts, and reports based on exactly what our team needs instead of depending only on predefined templates. I also appreciate the data onboarding flexibility as Splunk can handle many different log formats, and we can decide how data is indexed, retained, and analyzed based on our requirements.

Splunk Enterprise Security's security customization capability is one of the areas where I find it very strong. From a security perspective, every organization has different requirements, and Splunk Enterprise Security allows us to build detection logic based on our own environments instead of depending only on fixed rules. For example, we can create custom SPL search and correlation rules, alerts, and dashboards to monitor specific activities such as unusual login behavior, system changes, or suspicious events. I also appreciate that we can combine data from multiple sources such as servers, network devices, and security tools to create a complete investigation workflow. The flexibility of customized search and security monitoring based on real business needs is one of the biggest advantages of Splunk Enterprise Security.

Splunk Enterprise Security is a very mature platform, but there are a few areas where I think it can improve. One area is administration and configuration simplicity; since Splunk Enterprise gives a lot of control, managing components such as indexers, search heads, configuration, and upgrades can become complex, especially for new teams. More automation around administration would help. Another improvement area is resource optimization. When dealing with very large data volumes, search and storage require proper tuning, so more built-in recommendations for performance optimization would make it easier. I would also appreciate more AI-assisted capabilities, especially for creating SPL queries, tuning alerts, and suggesting improvements automatically. Overall, the flexibility is excellent, but making management and optimization easier would improve the experience.

I have been using Splunk Enterprise Security for around 1.5 years, and during this time, I work mainly for log analysis, monitoring, and troubleshooting different systems.

I would rate the stability of Splunk Enterprise Security around nine out of ten; in my experience, it is a very stable and reliable platform, especially when the architecture is designed properly. Once components such as indexers, search heads, and forwarders are configured correctly, it runs consistently without frequent issues and handles continuous data ingestion and searches very well, even with large amounts of machine data. The reason I would not give a ten is that stability also depends on proper maintenance, resource allocation, and configuration tuning. If searches are not optimized or the infrastructure is not sized correctly, performance issues can occur. But overall, for an enterprise environment, it is a very dependable solution.

We have around 40 to 50 active users of Splunk Enterprise Security, and the users are mainly from different teams such as security operations, infrastructure, application support, and the engineering team. Not every user uses it in the same way; some mainly view dashboards and reports, while analysts and engineers use it more deeply for SPL search, troubleshooting, investigation, and creating alerts. We manage access based on roles, so different teams get permission and data visibility according to their needs.

I would rate technical support around nine; overall, the support experience has been good. The support team is knowledgeable, especially when dealing with complex topics such as indexing issues, search performance, configuration problems, or distributed development troubleshooting. The documentation from the Splunk community is also very strong, allowing many common issues to be resolved quickly. The reason I would not give a full ten is that for some advanced technical issues, especially in environment-specific problems, it sometimes takes multiple decisions or escalations to reach the final solution. But the overall quality of support and technical expertise is reliable.

I have compared Splunk Enterprise Security with other SIEM and analytics solutions such as IBM QRadar and similar platforms. From my experience, the biggest advantage for Splunk Enterprise Security is its flexibility and data analytics capability; Splunk Enterprise Security is not limited only to security events, and we can bring in almost any type of machine data and create custom searches, dashboards, and use cases. Solutions such as IBM QRadar are strong for traditional SIEM use cases because they provide many predefined security rules and workflows out of the box. However, Splunk Enterprise Security gives more freedom to customize detection logic and analyze data in different ways using SPL; while Splunk Enterprise Security may require more configuration and tuning initially, once it is properly set up, it provides a lot of control and scalability. I would say QRadar is more structured out of the box, while Splunk Enterprise Security is better for organizations that want deeper customization, flexible analytics, and broader use cases beyond security. Therefore, I suggest that Splunk Enterprise Security is the best.

We have deployed Splunk Enterprise Security in a self-managed on-premises development with a distributed architecture. Our setup includes components such as universal forwarders for collecting data, indexers for storing and processing events, and search heads for users to perform searches, create dashboards, and run reports. This deployment approach gives us more control over things such as data retention, infrastructure sizing, security policy, and custom configuration. For some data sources, we have integrated with cloud services, so it is more of a hybrid monitoring approach, but the main Splunk Enterprise Security environment is managed by our team.

After implementing Splunk Enterprise Security, we have seen the downtime reduced approximately 30 to 40%. The main reason is that Splunk Enterprise Security helps us identify problems much earlier instead of waiting until an issue impacts users. We can detect warning signs through logs, alerts, and system behavior patterns. For example, if an application starts generating errors or infrastructure performance changes, teams can investigate the event history quickly and understand the root cause. This can improve our mean time to resolution because engineers spend less time searching across multiple systems and more time fixing the actual problems.

In Splunk Enterprise Security, we create custom correlation searches and alerts based on our environment requirements for risk-based alerting. For example, we set alerts for repeated failed login attempts, unusual user activity, privilege changes, or suspicious system behaviors. The useful part is that Splunk Enterprise Security does not force us to only use predefined detection; we can adjust thresholds, add conditions, and tune alerts using SPL to reduce false positives and focus on important events.

We have explored the newer Splunk detection capabilities mainly through Splunk Enterprise Security. We use features such as risk-based alerting and advanced correlation searches to improve how we detect threats instead of looking at every alert separately. Risk-based detection helps combine multiple suspicious activities and prioritize users or systems that show higher risk. Additionally, we use custom security content and detection rules based on our environment. The benefit is that we can tune detections, reduce unnecessary alerts, and focus more on meaningful security events. Overall, the newer detection approach helps move from just alert monitoring to a more context-driven investigation process.

I would rate Splunk Enterprise Security an eight; the reason is that it provides very strong capabilities for security monitoring, threat detection, and investigation. With Splunk Enterprise Security, we can combine data from different sources, create custom detections, and analyze suspicious activities to gain better context during investigations. I especially appreciate features such as correlation search, risk-based alerting, and customizable security dashboards because they help prioritize important threats instead of only generating a large number of alerts. The only reason I would not give it a perfect ten is that it requires proper tuning and skilled users to get maximum value, and initial configuration and optimization detections can take time. But once implemented properly, it is a very powerful security analytics platform. I rate Splunk Enterprise Security an eight overall.

My usual use cases for Splunk Enterprise Security involve creating notables, use cases, and dashboards. We are creating the use cases as per the defense of depth in all the security layers, such as the network layer or data link layer, DLP protection, and network protection. We are using firewalls and proxy, as well as IPS, and we are using Defender as Cloud App Security of 365 and EDR. We are using Defender as a single pane of glass, collecting all the logs from all the security devices, writing the correlation rules, configuring the notables, and monitoring 360 degrees of the organization's security.

It is a comprehensive solution with many security-related features. The data enrichment feature helps identify any anomalies from devices and users. It helps identify any malicious activity patterns, risks, or login failures. 

We have implemented conditional policies where traffic from certain countries gets blocked. We are utilizing the Splunk Machine Learning Toolkit (MLTK) app to create models for automatic actions or remediation. We are trying to catch the true positive incidents and orchestrate a response. We have created two models to identify brute force attacks and user login failures.

The features of Splunk Enterprise Security that I have found most valuable include the risk-based score and UBA/UEBA, user behavior analytics, or user and entity behavior analytics. Based on this feature, we can identify anomalies in any activity from the user or device. 

It serves as a single pane of glass for all the security-related events. It helps cross-correlate with minimal manual intervention, detect true positives, and take remediation steps in an orchestrated manner. It is very efficient. It's a top solution in Gartner Quadrants and Datamatics.

Areas of Splunk Enterprise Security that could be improved include the need for training and certifications. We are planning to do certifications, and there are many features, such as risk-based score and score detection, where the current training doesn't provide visibility to the analyst. They should offer training based on the features we use. For any future enhancements or features, such as MLTK and SOAR platform integration, we need more visibility, training, and certification for the skilled professionals who are working.

I have been working with Splunk Enterprise Security for seven years.

This solution is stable. The platform and the applications we are dealing with are stable and maintain high availability both on-prem and cloud.

Scalability-wise, we find it comfortable. It's convenient to scale up or scale down the licenses or the components in the cloud.

When we require support from the Splunk Enterprise Security team, if we raise a request, they respond based on priority, providing recommendations or best practices as per the platform recommendations.

Positive

I work with multiple customers. They use different products, such as Trend Micro XDR. The customer I am working with right now is using Splunk Enterprise Security. It was chosen by the customer.

For deploying Splunk Enterprise Security, we follow a cluster environment for high availability and high performance, maintaining an architecture with several search heads, indexers, and forwarders. Data is pushed from all forwarders to the indexers, which are heavy forwarders where indexing, parsing, and normalization are performed. Once it is done, we search the data through search heads, with a license master and deployment server present to push configurations to all components of Splunk Enterprise Security. It's a distributed and clustered environment we are maintaining.

We have seen a return on investment. We are getting more security. We are able to secure the environment from all security threats and maintain an environment that is free from threats and attacks, especially cyberattacks.

Pricing and licensing are quite high compared to other tools or SIEM tools, but the features justify it.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

I confirm that I am a customer of this solution, like an end user, and I usually use Splunk Enterprise Security for various use cases.

My favorite features of Splunk Enterprise Security include creating dashboards according to our understanding, having a very user-friendly query language that allows us to query the data and get the output we need, and creating alerts while integrating different types of services in Splunk so that we directly receive all error reports and production log reports in our email IDs. This is a very helpful feature for us because I recently integrated different types of mail services into Splunk. Our alerts and reports run based on a cron scheduler, which allows us to decide when to trigger alerts and reports.

Splunk Enterprise Security has positively impacted our organization by helping us monitor our services effectively. It allows us to easily identify consumer issues, especially when a consumer reports an error, as we have around 50,000 consumers in our organization, all of whom use Splunk. With Splunk Enterprise Security, we can search logs on different bases using trace IDs and span IDs, making security very effective, and integrating it into our services is easy, managing distributed transactions with ease.

I have seen that AI-driven detections and assistance have improved the accuracy of my investigations with Splunk Enterprise Security. It integrates AI features that provide quick summaries for all our traces.

The capabilities of Splunk Enterprise Security support my team in making faster, data-driven decisions because its query language is very easy to understand, resembling simple English. We write a query, specify our index and source, and get output in a very straightforward manner.

Splunk Enterprise Security has significantly reduced my team's average mean time to resolve issues. Unlike platforms such as Honeycomb, which only provide traces, Splunk Enterprise Security gives us end-to-end flow data, allowing us to see the entire data flow from start to finish when a process is created.

We have managed to reduce our average time to resolve issues by approximately 80%. Previously, debugging took around four to five hours locally, but using Splunk Enterprise Security, we can resolve the same issues in only an hour or less than an hour.

Splunk Enterprise Security has helped reduce my team's average mean time to detect issues. Approximately, we have managed to reduce that time by around 70 to 80%.

The risk-based alerting features of Splunk Enterprise Security have significantly impacted my alert volume and analyst productivity. The powerful, optimized searching language is easy to understand, allowing us to monitor our services in real-time and customize dashboards and data. We can create small components in our Splunk Enterprise Security dashboard for proper end-to-end communication flow, and the strong alerting system, along with enterprise support, makes Splunk Enterprise Security very efficient.

I evaluate the threat topology and MITRE ATT&CK framework features in Splunk Enterprise Security as very effective for discovering the overall scope of incidents. With distributed services, Splunk Enterprise Security allows easy integration and provides a single point of monitoring for all our services.

Splunk Enterprise Security has helped me detect threats faster. Tracing is very easy, which reduces debugging time and gives direct results with end-to-end traces across all services. This reduces our time by around 70 to 80%, allowing us to develop solutions for consumers quickly, especially when they raise incidents.

Splunk Enterprise Security Essentials has contributed to a reduction in analyst burnout or fatigue. My experience with Splunk Enterprise Security has been very good, although I encounter a minor issue with time limit exit errors when filtering data over longer durations. This occurs about five to ten percent of the time. If I limit the data to 15 to 20 days instead of one or two months, the experience improves significantly. However, sometimes running multiple queries in background tabs leads to session errors.

Splunk Enterprise Security Essentials has improved my team's daily work experience and retention as our team has been using Splunk Enterprise Security for the last two years and has not shifted to any other platform because all team members find it very user-friendly and the overall experience is excellent.

The integration of threat intelligence directly into the TDIR workflow has indeed improved our ability to preemptively block threats. Splunk Enterprise Security automatically finds telemetry logs and performance data from our infrastructure, enabling data pipeline automation, built-in AI and predictive monitoring, and continuous network visibility.

I find the pricing and licensing of Splunk Enterprise Security to be decent, though it can sometimes seem expensive. However, the scalability and capabilities it provides justify the price, particularly for larger organizations. I would definitely suggest that people use Splunk Enterprise Security, as it significantly improves productivity by allowing tasks that previously required two people to be completed by one due to reduced debugging time.

I have been working with Splunk Enterprise Security for two years, and I am still working with it.

The reliability and stability of Splunk Enterprise Security are commendable because integration is straightforward, user experience is excellent, and the query language is very user-friendly. Anyone with basic programming knowledge can easily understand how to query data effectively. Additionally, its most helpful feature allows searching any log using specific keywords, which provides accurate output even for those unfamiliar with query language.

The scalability level of Splunk Enterprise Security is very optimized and excellent, as it can handle millions of transactions and logs are processed in fractions of seconds. We can easily scale our Splunk Enterprise Security infrastructure.

I do not often communicate with the technical support of Splunk Enterprise Security because I have not faced any issues in my last two years of using the platform.

When I encounter issues, I rely on the official documentation provided by Splunk Enterprise Security, which is very helpful. The product documentation is the best source for finding information regarding the product, and I always go to the documentation when I am uncertain about something.

I have not used different technologies for these use cases before Splunk Enterprise Security; since I joined my organization, we have only been using Splunk Enterprise Security. In my previous organization, they may have used another platform such as Sentry.

Regarding the native UEBA capability of Splunk Enterprise Security, we have created an internal platform for data exports to Splunk Enterprise Security. However, I am not fully grasping the specifics of how it enhances visibility into unknown, sophisticated, or insider threats. I would rate this review at 9.8 out of 10.

We use Splunk Enterprise Security for our security monitoring and incident management. This is our global application that we are using for security monitoring and compliance.

We've seen some good improvements from a business perspective, particularly regarding security monitoring. However, when I consider our current challenges and future roadmap, I don't believe Splunk Enterprise Security has the capabilities we need. We previously faced challenges with QRadar, which prompted us to migrate to Splunk Enterprise Security. While Splunk Enterprise Security has addressed the past issues we encountered, it fails to meet our future requirements. Currently, it effectively addresses existing threats, but it doesn’t tackle advanced threats, which is a significant challenge we foresee with Splunk. There is still a lot of room for improvement.

With the Classic flavor we have in our company, the feature that I find good in Splunk Enterprise Security is from the MITRE coverage point of view, and then the level of information that it provides. The integration with its own SOAR platform is also one of the pros.

From the product point of view and deployment point of view, Splunk Enterprise Security is satisfactory. It is not simple; it is at a medium level when it comes to deployment and management of the tool altogether. This includes not only the enterprise platform but also other components such as deployment servers or the Splunk agents we use for collecting logs. When comparing it with different vendors in the industry, from the deployment and maintenance point of view, it is not up to the level of other vendors. 

When discussing the drawbacks, it's important to note that the flavor I’m currently using is called "Classic." Unfortunately, this platform does not offer any of the new features that Splunk introduces. As a result, we are the last ones to find out about new capabilities, and we’re also slow to implement them. Splunk tends to release new features with different flavors of their platform, and being on the Classic flavor means we are least likely to receive the latest updates. This is a significant concern I have regarding Splunk.

When comparing Splunk Enterprise Security with next-gen SIEMs, we look for AI and ML models being incorporated in such a way that it automatically should be able to detect behavioral-based detections. It should be able to detect behaviors from logs and show us the entire attack surface and blast radius of any particular incident, which is primarily missing.

The capability of AI, Artificial Intelligence, is missing, which would help to automatically detect and read data comprehensively. Splunk lacks the new native solutions for agent deployment, which is essential for a large enterprise.

Currently, there is Machine Learning in Splunk Enterprise Security, but that is resource exhaustive and complex, bringing an impact onto our overall stack performance. Technical expertise in Machine Learning is required, and continuous monitoring is needed to ensure Machine Learning learns about our data to provide results, which is resource exhaustive, time-consuming, and costly.

Artificial Intelligence is missing in the Splunk Enterprise Security platform, which would help us read the data automatically, learn from it, and provide attack surface area from a 360-degree perspective. The fixed pricing model requires upfront purchase based on assumptions and roadmap, requiring payment for the next two to three years regardless of usage.

I have been using Splunk Enterprise Security for around three years.

On a stability scale, I would rate it an eight out of ten.

Regarding scalability, I would rate it a seven out of ten. I don't have the pay as you go model. 

We have 150 users using this solution.

Whenever we raise any support case in Splunk, even after providing the required information, if a person is working on it and it gets transferred or handed over to a different representative in a different shift, they keep asking the same questions and requesting more details. Even when we ask for a call, even for P1 or P2 incidents, they keep going around asking for details. When we request P1 or P2 support, it would be wise to get into a call, get all the details, and have a troubleshooting call to address the issue on a priority basis. The technical support representatives keep transferring the tickets during shift handover, and different representatives ask the same questions multiple times, wasting our precious time. The issue doesn't get resolved until I escalate it to their higher management.

Positive

We were using QRadar previously. We had legacy systems, and from the volume and log source point of view, from the costing perspective and detection point of view, we thought Splunk Enterprise Security was far better than QRadar. Splunk Enterprise Security would provide better capabilities and out-of-box detections. These were some of the things that we saw, and Splunk Enterprise Security was also one of the leaders in SIEM technology. However, once we started using Splunk Enterprise Security, we discovered it was not the right tool.

The initial setup was of medium complexity. It took approximately 8 to 12 months to migrate from QRadar to Splunk Enterprise Security. 

The cloud platform we are using is maintained by the Splunk team itself. However, when it comes to our on-premises deployment, the maintenance is very high, cumbersome, and costly from both resource and time perspectives.

We haven't saved any money with Splunk Enterprise Security. Instead, we have spent excess of the budget on this with unexpected costs. That's one of the pain points I see with Splunk Enterprise Security. There haven't been any savings.

Splunk Enterprise Security comes with high fixed costs. That's one of the disadvantages. When comparing with different vendors, they offer pay-as-you-use models, which is more user-friendly, but Splunk Enterprise Security comes with fixed pricing.

We use different security tools as well.

For any user who wants to have a cost-efficient and next-gen SIEM solution, I wouldn't recommend Splunk Enterprise Security. However, if a user is not concerned about cost and is looking for an on-premises solution, then I would suggest Splunk Enterprise Security. For anyone who wants to go for a cloud and cost-effective solution with next-gen capability, I wouldn't recommend this.

I would rate it a seven out of ten.

My main use case for Splunk Enterprise Security is web uploads.

The ability to create SPLs in Splunk Enterprise Security is my favorite feature. These features benefit my organization primarily through threat detection, which I use for, so that's a huge benefit. Splunk Enterprise Security has absolutely helped improve my organization's business resilience.

Splunk Enterprise Security could be improved by incorporating AI features, as it doesn't have the AI capability that Pyramid does, where users can ask questions without having to write code.

It has been more than three years.

I haven't experienced any downtime or performance issues with Splunk Enterprise Security. Zscaler may experience issues because Splunk grabs data from them, but other than that, I haven't had anything crash.

Splunk Enterprise Security adapts to our growing needs on a yearly basis, as we're constantly growing our program and it has helped in that way. We have expanded usage from just engineering, as now our whole DLP team uses it, allowing us to not rely on other people for it. It was a smooth process when we were expanding usage.

The most significant challenges I've faced when using Splunk include getting the code right. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security to be good, as changes are easy to make. On average, my security ops team takes about three days to remediate security incidents with Splunk Enterprise Security, depending on what the incident is.

My advice to other organizations considering Splunk Enterprise Security is that it depends on their needs and costs, but I think it can cover everything from a small business to a large business, so I would definitely recommend it.

On a scale of 1-10, I rate Splunk Enterprise Security an 8.

My main use case for Splunk Enterprise Security is incident response.

The feature I appreciate the most in Splunk Enterprise Security is the case management, although I have more critiques for the case management than favorite features. Having case management in Splunk Enterprise Security is something I appreciate since we needed a way to centrally manage all of our incidents. 

Having case management in Splunk Enterprise Security has really benefited our organization.

To improve Splunk Enterprise Security, I would suggest allowing third-party SOAR solutions to work with it. The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include the user interface, which isn't terribly intuitive, and it has been a process to get people to adopt it and use it as much as they should.

The user interface feels clunky to navigate and interact with in Splunk Enterprise Security compared to other case management solutions where it feels easier to use at a high level. In Splunk Enterprise Security, the way you click through everything, attach stuff, and interact with other analysts feels cumbersome, with a lot of digging required to get into things; not everything is just one click away—things are usually three clicks away. 

The process of extending the usage of Splunk Enterprise Security is still bumpy; the user experience is really the challenge there, as many of our analysts complain about its difficulty for day-to-day use.

I have been using Splunk Enterprise Security for about three years.

I have not experienced any downtime, crashes, or performance issues with Splunk Enterprise Security. Although we occasionally receive emails from Splunk about performance issues, they are typically resolved quickly, and the system appears to be running smoothly.

Splunk Enterprise Security scales effectively with the growing needs of my organization and there are no issues.

I evaluate customer service and technical support as great; our support team is fantastic, and we have regular cadence with our support teams and our representatives.

Positive

Before adopting Splunk Enterprise Security, we were using several different SIM products to address similar needs, but I disliked them all; none of them really worked and they all crumbled under the ingest load. 

One product required us to completely sever logs since it couldn't compute; it was pretty bad. Splunk Enterprise Security is probably one of the first products that actually could handle all the ingest and do all the correlation without crumbling under its own weight.

I would describe my experience with deploying Splunk Enterprise Security as easy, mainly because we use the cloud version; since it's Splunk Cloud, we didn't have to do much to deploy it, and we don't do a deployment in the cloud—it's managed.

I have a team that customizes, develops, tests, deploys, and refines detections in Splunk Enterprise Security; I don't do that personally, so I cannot talk extensively to that process, however, we go through a process to do that and I haven't heard many complaints about it.

I have seen a return on investment with Splunk Enterprise Security. Incident response, along with triaging and increased efficiency, has been a notable example of return on investment.

It would always be great if Splunk Enterprise Security was cheaper; we definitely hit limits frequently with our ingest. I'm planning to explore the SVC model soon to see what that looks like. We're able to get what we need with what we have and can afford, so I'm satisfied.

We do not purchase this product on AWS Marketplace; instead, we get it directly from Splunk, or we go through a VAR.

My advice to other organizations considering Splunk Enterprise Security is to make sure you understand all the functionality of it, not just what they show you, but also the integration points; understand the automation side of it and get a good holistic understanding before making a decision. 

On a scale of one to ten, I rate this solution a seven out of ten.

As a threat detection engineer, my main use case for Splunk Enterprise Security is to create content to find anomalous activity in our environment. Splunk Enterprise Security, via the content management interface, allows us to create correlation searches, take advantage of summary indexes where we can correlate multiple findings per host, per user, whatever anchor point you want to use, and get those alerts to our analysts in a timely manner, where they can be triaged based on alert severity and criticality.

The notable feature of Splunk Enterprise Security, which in version 8 is going to be called "findings," is the ability to send notables, and all the actions that can be chained with the notable when you actually have a hit or a finding.

The ability to quickly automate detections based on alerts or intelligence that we operationalize in the environment benefits my company, as we get that alert sent to the appropriate parties and put in front of the analysts quickly, allowing for triage and the ability to group the alerts together instead of just always looking at a single finding.

Splunk Enterprise Security can be improved by addressing the content management interface, which is very outdated, slow, and clunky; sometimes we think things are saved and they haven't. Being able to edit saved content and saved searches in batch, such as when you have a log source and a field changes, is a pain point right now since you have to go in and basically update all of them unless you do some kind of Eval on the ingestion side; that's probably the biggest pain point with it right now.

I would assess the stability and reliability of Splunk Enterprise Security as very reliable and very stable.

Splunk Enterprise Security scales very well with the growing needs of our company, although there are definitely some things that are behind the times, such as some of the limitations out of the box on KV Stores, lookups, and some of the commands, the MV line of commands and some of the limitations there. Hopefully, with the advent of all the cool AI and ML capabilities coming down in the 8 series, many of those limitations will be eliminated.

Regarding customer service and technical support, I don't generally submit support tickets, however, I have on a few occasions. It's usually our Splunk engineering team.

We have bimonthly meetings with our account representatives, and we have some sort of on-call technical staff that are assigned to our company and our contract, and they've all been excellent; wonderful people to work with.

Positive

Prior to adopting Splunk Enterprise Security, I used another solution that does similar things, and over the course of my career, I've used a couple of different solutions, peer solutions with Splunk, but Splunk Enterprise Security is the best.

It really comes down to the versatility and how powerful it is; I have never worked with another platform where I can do as much for as many teams, not even just security, which is my primary focus, and the value that you can get out of it, I've never seen a platform that versatile.

From my point of view, the biggest return on investment when using Splunk Enterprise Security is keeping our company safe.

The advice I would give to other companies that are considering Splunk Enterprise Security is that if you've never used Splunk, it can be a little daunting at first, learning a new language, Splunk SPL. That said, it's worth it.

The cycle time that's going to be taken in training and upskilling, once your staff is familiar with that, and you don't even have to do a lot of training, just a couple of the basic classes from Splunk University to get proficient, it's going to open a lot of doors.

On a scale of one out of ten, I rate Splunk Enterprise Security a nine out of ten.

Our main use cases for Splunk Enterprise Security are to find the root cause of any applications, to see the dashboards, to see the logs, and to centralize some logging systems.

Managing logs is very easy with Splunk Enterprise Security. Earlier, we were using DataDog and before that, we were also using our own tool, 24/7, to maintain logs and everything. In that, we faced many issues maintaining logs from many applications because we are managing many applications right now. So it was very tough, and when we were introduced to Splunk Enterprise Security, we used it, and it became very easy to maintain. It is easy to have control over it.

The main benefits I have seen from using Splunk Enterprise Security are mainly two things: the pricing and the manpower. Right now, we do not have to worry about the time if we encounter any issues. Recently, one of our customers raised an issue that the application was running very slow. Earlier, we had issues like that, but at that time we had to do so much manual checking everywhere to find the issue. Right now, if we get an issue regarding this, it is very easy to understand the root cause.

One thing I would like to see improved in Splunk Enterprise Security is a better user manual. Right now, it is pretty tough for any newcomer or new user to understand everything because there are no specific areas for them to learn from.

From a features perspective, an enhancement I would like to see is a better learning aspect. The AI feature is great, but I believe enhancing the learning part for any new user would be beneficial.

We have been using Splunk Enterprise Security products for the last eight to nine months, but I have been onboarded on this in the last six months.

The stability, reliability, and performance of Splunk Enterprise Security are pretty good. Now we are very stable with many production systems, and Splunk Enterprise Security is also scalable if we want to expand further.

I would evaluate the tech support team as good.

I previously used different products and solutions like in-house technologies and DataDog.

The initial setup process for Splunk Enterprise Security was somewhat challenging. As I mentioned, it lacks a specific user manual, making the initial setup tough, but now we are hands-on and comfortable with it.

Regarding ROI, while I cannot speak specifically about the investment, I can say that the returns are good. We achieve one hundred percent productivity utilizing Splunk Enterprise Security to create multiple dashboards and find various issues.

On the pricing aspect, I find the setup cost and licensing of Splunk Enterprise Security to be relatively cheaper compared to what we used earlier. I can say that what we are paying is worth it based on the value we receive.

We decided to switch to Splunk Enterprise Security because of the ecosystem. We are also using Splunk Cloud, and we have a good relationship with Splunk. The pricing compared to what we were using earlier is worth it.

The key differences, apart from pricing, are the visibility and observability. We did not get good visibility with the previous tools, but now we have a very clear view, which is why we switched to Splunk Enterprise Security.

My advice for anyone considering Splunk Enterprise Security is to understand the basics of logging systems first and determine your use cases before building specific functionalities in Splunk Enterprise Security.

We have recently upgraded to Splunk Enterprise Security 8.0, and we are evolving everything now. We are evolving frameworks and many other things within it. I would rate this review an 8.5 overall.

Splunk Enterprise Security is mainly used for detecting and monitoring log analysis, threat detection, and incident investigation. It is primarily used for failed login detection where multiple login failed attempts occur from the same source IP. Brute force attacks are another common use case. Splunk Enterprise Security use cases can be extended through visualization on data dashboards, setting incident triage, and Windows event log analysis in SOC environments. I use it from a SIEM perspective in my organization.

The best features of Splunk Enterprise Security are that it is the leading platform in cybersecurity right now in SOC environments. Business resilience is very useful for real-time monitoring and investigation, which improves our business resilience.

The AI-driven detections have improved the accuracy of my investigations significantly. I have worked with two other SIEM tools: Wazuh and Azure Microsoft Sentinel. Compared to both, Splunk AI is very good. When we mark an alert as a false alert, Splunk Enterprise Security automatically detects it as a false positive. Whenever another similar alert comes through, it automatically takes action, so we will not get that alert on our dashboard again. It automatically handles false positive alerts, preventing clutter on our dashboard.

It has reduced my mean time to detection (MTTD) by about 30 percent and my mean time to resolution (MTTR) by about 40 percent. Our SLA has reduced from fifteen minutes to ten minutes, which is very helpful because we are raising alerts within ten minutes.

Risk-based alerting provides significant value. When we raise an alert, we provide the incident classification as either true positive or false positive in Splunk and also in the ticketing tool. If an alert is a false positive, Splunk's AI takes care of this and tells us whether we want this alert to show to the SOC team or not. The decision depends on AI analysis.

The assessment of the threat topology and the MITRE ATT&CK framework in Splunk shows that Splunk already maps MITRE ATT&CK with incidents. Whenever an alert comes, the AI configures it to that framework. For investigation purposes, I check the process tree to see how the alert originates and where the malware is going to end. This is very good for threat investigation.

Splunk Enterprise Security has become at least forty to fifty percent faster at detecting threats compared to Azure Sentinel. It is very fast for detecting alerts.

It has contributed to the reduction of analyst burnout and fatigue because it reduces our alerts. If we raise an alert on Splunk, it takes care of them through AI. False positive alerts will not show up, preventing mess for our team. Our threat hunting team and forensic team handle the true positive alerts, while false positives are automatically taken care of by AI.

When comparing Splunk with other vendors, I find that Splunk use cases have more power to detect alerts. Azure Microsoft Sentinel has inbuilt over two hundred use cases analytics for their team only, and we cannot create more customized use cases. In Splunk, we can create additional customized use cases, plus there is AI for detection. If we miss some use cases for any logs or events, AI takes care of it and creates its own use case, showing alerts for us. The dashboard is also very user-friendly compared to both.

Areas that have room for improvement in Splunk Enterprise Security include user access. When we give access to a new user, it becomes difficult for them to log in and understand the interface. It would be beneficial if there is a demo for L1 users. I also see improvement needed in integration. Currently, we have to manually integrate devices, but I would like AI to take care of it, similar to how SentinelOne operates. This would make the process smoother.

My experience using the solution has been two years.

Stability-wise, Splunk Enterprise Security is very good. I have not experienced any significant performance issue or downtime.

I rate the scalability of Splunk Enterprise Security as an eight. It depends on how stable and scalable you manage Splunk Enterprise Security for your organization.

I rate the technical support of Splunk Enterprise Security as a three. I find it not good because whenever I raise a ticket, they take a very long time. Even if I call the toll-free number, tickets are pending.

I have worked with two other SIEM tools: Wazuh and Azure Microsoft Sentinel. The AI-driven detections have improved the accuracy of my investigations significantly compared to these solutions.

It is very easy to deploy Splunk Enterprise Security compared to both other SIEM tools. Splunk connector is very easy to set up.

The time it takes to install depends on whether we are installing on a Windows or Linux machine or the size of the organization. For a moderate-level company, it usually takes around five days to install everywhere the connectors and endpoints.

When it comes to upgrading Splunk Enterprise Security to version eight point zero, I have a team that handles the upgrade, and it is basically easy to upgrade the version.

Combining SIEM, SOAR, and UEBA into a single interface has improved my operational efficiency significantly. Before we integrated SOAR, we usually took fifteen minutes to raise SLA alerts. For analysis, L1 would take ten to twelve minutes to decide if they wanted to raise an alert or not. With SOAR, we have predefined playbooks, so if any inbound connection happens from a malicious IP, it automatically blocks on the firewall. We handle most alerts through SOAR now, which allows us to focus on the more significant incidents like malicious attacks, effectively reducing our response time.

Regarding the pricing of Splunk Enterprise Security, I would say it is very expensive for our organization compared to the two others. Wazuh is open-source, and for SentinelOne, we are a partner with Microsoft, but Splunk has a high cost for setup, which is based on the EPS count and storage.

When comparing Splunk with other vendors, I find that Splunk use cases have more power to detect alerts. Azure Microsoft Sentinel has already inbuilt over two hundred use cases analytics for their team only, and we cannot create more customized use cases. In Splunk, we can create additional customized use cases, plus there is AI for detection. If we miss some use cases for any logs or events, AI takes care of it and creates its own use case, showing alerts for us. The dashboard is also very user-friendly compared to both.

My main use cases for Splunk Enterprise Security include finding out excessive login failures, any compromised accounts, any compromised emails using phishing tactics with Proofpoint, network anomalies, User Behavior Analysis, and detecting rogue assets.

I appreciate the Identity and Assets framework the most, as well as the threat analysis framework. Those are my two favorites in Splunk Enterprise Security, along with correlation searches and the entire incident response workflow.

The Risk-Based Alerting in Splunk Enterprise Security is a great addition to our team, as it correlates data from different sources and adds scores to users or systems, allowing us to make decisions based on risk scores assigned to assets or identities.

Splunk Enterprise Security dashboards communicate our security posture and risk score to executives, including major contributing risk factors, key performance indicators (KPIs), and key risk indicators, which help us make informed decisions about future focus areas.

Splunk Enterprise Security helps our team save time by performing correlation searches automatically, eliminating the need for manual searches. We also utilize SOAR for taking automated remediation responses.

To improve Splunk Enterprise Security, I suggest incorporating more AI features for faster remediation and enhanced responses, allowing users to build more correlation searches quickly. Regarding improvements in Enterprise Security, I believe the incorporation of AI would enable Splunk users to spend less time on building correlation searches while still gaining productive ideas.

I have over eight-plus years of experience working in the IT sector, with six-plus years of experience collectively working on security and Splunk-related tasks.

I would assess the stability and reliability of Splunk Enterprise Security at 90%.

The scalability of Splunk Enterprise Security is impressive, as you can scale it to any size and make various types of data readable, although event types and tagging are necessary for optimal performance.

Customer service and technical support for Splunk Enterprise Security are great; they respond quickly and handle our cases efficiently whenever we require assistance.

Positive

I used Splunk Enterprise Security at my previous company yet have not used any different products since then, although I have some knowledge about platforms such as Elastic Search and QRadar.

The challenges with deployment are the fine-tuning and some of the correlations, such as where the data is not normalized. And that's why the CIM module has been great so far.

The biggest return on investment with Splunk Enterprise Security lies in the time and effort it saves due to its built-in features, datasets, and pre-built dashboards, providing us with visibility across different data sources.

My advice for other companies considering Splunk Enterprise Security is that if they're looking to enhance their security visibility or establish a security operation center, this tool is an excellent starting point, and they can scale and automate processes using SOAR effectively.

On a scale of one to ten, I rate this solution an eight.