Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security are mostly for SOC, detection engineering, and incident response.

Splunk features benefit my organization as we can use it for any custom needs. That's the biggest benefit of getting it. It doesn't matter what team has what kind of requirements. There's a possibility through Splunk's back-end that we can customize it and make it work.

The features of Splunk Enterprise Security that I appreciate the most are its flexibility and scalability. 

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations, as one of the biggest advantages is that Splunk Enterprise Security comes with many apps and applications out of the box through Splunkbase, and there's essentially a connector available for any log source imaginable.

I find the process of customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security pretty straightforward overall. There's a lot of out-of-box content that can be leveraged and many features available to ensure all configurations are working as expected.

My organization uses risk-based alerting in Splunk Enterprise Security. It supports our SOC by significantly reducing the alert count and allowing analysts to focus on what matters most.

My SecOp team's remediation time for security incidents with Splunk Enterprise Security is definitely faster than other solutions.

I am utilizing new threat detection features in Splunk Enterprise Security, specifically the Assets and Identity Framework and risk-based alerting. These features have improved efficiency and helped reduce false positive counts.

Splunk Enterprise Security has helped improve my organization's business resilience. The flexible pricing models allow us to pick and choose, and I can easily see how different business units are consuming Splunk Enterprise Security, thereby distributing the cost within the organization.

I have recently expanded my usage, and the process was smooth.

Splunk Enterprise Security can be improved by having more focus on the data health monitoring aspect, which will definitely be helpful. A good out-of-box application that can help monitor if the data feeds are feeding in properly or if there is any drop will really help make life easier.

I have been using Splunk Enterprise Security for six years now.

I would assess the stability and reliability of Splunk Enterprise Security in terms of downtime, crashes, and performance issues, as there are no issues with the availability of the platform since it's cloud-based.

Splunk Enterprise Security scales with the growing needs of my organization as it's highly scalable. As the organization grows, Splunk Enterprise Security can also grow.

I would evaluate customer service and technical support as good.

I was mostly using Splunk Enterprise Security.

I would describe my experience with deploying Splunk Enterprise Security as time-consuming. It definitely needs some planning and time to ensure that everything is set up and configured properly.

I have seen return on investment with Splunk Enterprise Security.

Im not on the licensing side. 

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are that it takes some time to get the hang of the platform, and it has a slight learning curve associated with it. Other than that, I have no complaints.

The advice I would give to other organizations considering Splunk Enterprise Security is to try it out and see if it fits their requirements. It's highly flexible, highly customizable, and can scale according to needs.

On our rating scale, I give Splunk Enterprise Security an eight out of ten.

My main use cases for Splunk Enterprise Security are detections and incident response.

An example of how these features have benefited my organization is that risk-based alerting has transformed our ability to reduce the number of detections that we have, streamline our observability into risks and threats in our environment, and really focus our analysts on actual real problems, helping to remove the noise and false positives to a large degree. It frees us up to do actual work.

The features of Splunk Enterprise Security that I prefer the most are risk-based alerting, the new Mission Control, and the integrations that are coming into place between Mission Control and Splunk SOAR.

Splunk Enterprise Security could be improved by having better role-based access controls. We need to be able to better control who can do what, which people can be allowed to take certain actions, run certain playbooks, or view specific items, and separate things between teams.

I have been using Splunk Enterprise Security for about 8 years.

I evaluate customer service and technical support as fantastic. Technical support is some of the best that I've worked with.

I work with a lot of different vendors, and Splunk support is very responsive and capable. They have very knowledgeable people who can deep dive into the details and understand the inner workings of the platform without having to engage developers or back-end people all the time; they can just deal with it because they know what they're doing.

Positive

I have also used Google Chronicle and the Google SecOps platform. The factors that led me to consider a change included the lack of maturity in the other product and the maturity of Splunk. Google SecOps doesn't have anywhere near the capabilities of the Splunk ecosystem.

The search capabilities in Splunk Enterprise Security, and Splunk in general, are far superior to the search capabilities in Google's products. Their automation platform was extraordinarily immature. It doesn't have many of the basic capabilities that you would expect in an enterprise-class platform, and Splunk does have that. The Splunk capabilities were just vastly superior.

I would describe my experience with deploying Splunk Enterprise Security as fairly straightforward.  We have detection engineers who know what they're doing, and so learning the detection platform in Splunk Enterprise Security was quick for them to pick up. Even those who were not familiar with Splunk Enterprise Security to begin with were able to pick that up quickly.

I have seen a return on investment with Splunk Enterprise Security.

I would rate it an eight out of ten.

Many of my use cases for Splunk Enterprise Security involve integrating with our networks and systems to troubleshoot and streamline our capabilities.

One of the features of Splunk Enterprise Security that I really enjoy is the ability to have the scalability of the product and the moldability that's really customized to meet our specific needs. 

The flexibility of Splunk Enterprise Security is beneficial, and that feature, while a broad statement, is crucial in itself, as it allows us to design our own environments with the flexibility and malleability needed to function effectively.

Splunk Enterprise Security's Risk-Based Alerting or RBA has been really amazing. We're still new at it, however, it's definitely nice to be able to have those results at your fingertips instead of having to search what you need to.

Using Splunk Enterprise Security's dashboards to communicate security posture to executives is probably one of the nicest things that Splunk offers. Not everyone is as skilled with the inner workings of the system as we are in my industry, so being able to put a visualization on there is critical.

The ability of Splunk Enterprise Security to ingest data has been amazing for our threat detection. Combating insider threats and advanced persistent threats is an amazing feature of Splunk Enterprise Security, and it gives us the visibility that we need for those detections that other software doesn't have.

The stability and reliability of Splunk Enterprise Security is outstanding. It's a software and product that anybody can really pick up and use.

I'm not as familiar as I should be to answer how Splunk Enterprise Security can be improved, however, one of the improvement points that Enterprise Security could offer is on-prem training, the availability to have a Splunk representative come out to different sites and actually sit down with the organizations and help them understand.

I've been using Splunk Enterprise Security for about a year to a year and a half now.

I handle most things in-house, however, I evaluate Splunk Enterprise Security's technical support and service as outstanding based on the few times we've had to contact them.

Positive

My experience with deploying Splunk Enterprise Security is that the deployment process is pretty straightforward, especially once you have the certifications and you understand how the process works. I'd say it goes back to the training opportunities; some people are unfamiliar with it, so a little bit of support would be appreciated sometimes.

Splunk Enterprise Security has definitely reduced the amount of time that it takes us to detect and respond. I would say the percentage lowered by using Splunk Enterprise Security is around 25 to 30%.

I understand how the pricing, the setup costs, and the licensing of Splunk Enterprise Security work, however, I personally don't have knowledge of the numerical values.

I'd give Splunk Enterprise Security a rating of ten out of ten. 

My advice to other companies considering Splunk Enterprise Security is to just do it. Don't look at any of the competitors; Splunk, hands down, is the product that I would recommend to other companies.

My main use cases for Splunk Enterprise Security are event correlation and risk-based alerting.

The features I appreciate most about Splunk Enterprise Security are the different domains they have and the intelligence that comes along with each of those dashboards, being that single pane of glass for analysts to go in and look at. Splunk Enterprise Security has helped improve my organization's business resilience.

We use Cribl to pull data in and get it optimized before it hits Splunk Enterprise Security as far as collection. I have not done much customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security yet; we started off with just getting data in, and now we are at the point where we are starting to look at detections.

In Splunk Enterprise Security, I do not use risk-based alerting as much as we should. That goes back to the whole time issue, as we need to teach people what to do with it and how to tune them, and we do not have enough time in the day.

As for improvements to Splunk Enterprise Security, we will see how ES 8.2 looks. It is hard to say. We just found out about a bunch of changes, so it is difficult to make specific recommendations at this point.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection include not having enough time to be in it, the resources and people to also be in there, and trying to configure it and teach people how to use it. A lack of resources prevents us from giving it the attention it needs.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as good, as I have not had any issues with it. I have experienced downtime, crashes, or performance issues with Splunk Enterprise Security only once or twice when we have had to restart our Splunk instance, and it has taken three minutes and come right back, so nothing major.

Splunk Enterprise Security has not hit the point yet where we need to scale; we are still at the initial ingestion phase. We are in the process of expanding usage for Splunk Enterprise Security; we have not actually done it yet, as we are still planning and trying to get other teams involved while meeting their use cases, so we are probably a month away from that.

I would evaluate customer service and technical support for Splunk Enterprise Security as far better than anything else, giving it an eight out of ten, thanks to the response times they meet. When going to our account representatives, if we need something, they are always responsive and we get whatever we need.

Positive

The deployment was easy since we're cloud-based. We didn't really didn't have to do anything.

I have seen ROI with Splunk Enterprise Security. Just getting data in and being able to use the data and making sure it is compliant and mapping it to data models is far more efficient than any other SIM I have had experience with.

My experience with pricing, setup costs, and licensing for Splunk Enterprise Security is straightforward and self-explanatory. We are ingest-based, so we are not compute-based, making it pretty simple to get everything in without worrying about pricing.

Factors that led me to consider the change include shifting to a cloud-based solution at an affordable price and moving to something that is going to help reduce time spent on alerts and maintaining the system, with maintaining the system being probably the biggest reason since shifting to the cloud.

For the future of Splunk Enterprise Security, I would want the Edge Processor to be able to send to multiple destinations rather than just Splunk, though that is more about Observability.

The advice I would give to other organizations considering Splunk Enterprise Security is that everybody wants to drive a Ferrari, so get the Ferrari of SIMs.

I rate Splunk Enterprise Security ten out of ten.

The typical use case for Splunk Enterprise Security is to meet regulations and requirements for critical infrastructure. It is used to audit changes and authentication logs. The second purpose is for security operation center management and security management.

The most valuable features of Splunk Enterprise Security are the main component, which is the correlation engine that can specify detailed conditions such as how many events there need to be, what notification I will get, and if I get it per event or one per batch. 

There is also throttling; in basic Splunk, there is no throttling at all. In Splunk Enterprise Security, there is an additional layer of control of these alerts. I appreciate the correlations and the alerts in that product.

The asset management is particularly useful. We can enable asset lookups to show in every event. We define one, and it will translate to all events, allowing asset management to be easy. 

Splunk Enterprise Security helps to reduce alert volume because the language is similar to SQL with Google-style functionality above it. We can use these terms to specify what is in the allow list. We can specify what's in lookups, what should be there, and what's not. It definitely helps to reduce the numbers of full score.

Splunk Enterprise Security helps to speed up security investigations. When the finding is created, there are many correlations. You can quickly see what asset it is, what identity is involved, and you see the historical progress of what happened. Right from the findings, you can call VirusTotal and other resources, which is definitely helping.

I assess Splunk Enterprise Security's insider threat detection capabilities for helping to find unknown threats and anomalous user behavior as great. It regularly checks new events through the correlation search and compares them with threat intelligence. The threat intelligence is refreshed regularly, downloading new threat information. Splunk has a special research team for security content and intelligence, which distributes its own threat list to Splunk Enterprise Security.

It's great for finding anonymous threats. It checks new events and also works with the latest threat intelligence. At least once a day, it develops new threat information. In Splunk, there is a special research team. They are also distributing their own threat lists. The solution is capable of very good threat detection.

In basic SPL, with the Splunk query language, we can detect brute force without threats. It scans every event, and if it finds patterns, IOCs, it can trigger notable events, which are now called findings. The new version includes an internal Git repository, so when the SOC team makes improvements to the correlation search and makes changes, it automatically keeps a history of that correlation search, what was changed, when, by whom, and you can revert if it breaks.

The value that Splunk Enterprise Security offers in resilience is vital. It helps customers distributing gas across the Slovak Republic, ensuring that critical infrastructure, such as operational pipelines, are running. If there were an outage that delayed recovery, the economic impact could be significant. 

It's good for analyzing malicious activities and detecting breaches. The interface sometimes can be very essential.  

Splunk has helped us reduce alert volume. We can use terms to specify what is whitelisted and we can search like we would on Google. 

We've been able to speed up security investigations. We a finding is created, there are many correlations. You can quickly see the asset, the identity involved, the history, et cetera. 

Splunk Enterprise Security can be improved mainly from the user interface regarding the visualizations. They are working on it, yet there are only five to ten very basic visualizations. When you have your data all set and the customer wants some new dashboards that would help them, it is pretty complicated to build them from the built-in visualizations. 

This is one of the blocking points in Splunk, however, they're working on a new layer called Dashboard Studio. It is still limited. An older version of Splunk allowed implementation of JavaScript to capture events when a user clicked by mouse, which enabled great features. In the improved Dashboard Studio, this is not possible. They have improved one part and have made the other part worse, so it still lacks a premium feeling. Cisco will improve it, however, it seems they are focusing on what the big companies want. They will implement it if it's usable for these big players that pay, but for small companies, it's too pricey to use this solution.

I've been working with this solution for seven years.

The stability of Splunk Enterprise Security is very impressive; it is a very stable product. They handle these things perfectly and conduct internal testing thoroughly. 

They test it very thoroughly before release, and our customers have Splunk running for months without issues. 

When I observe how customers work with Splunk in the cloud, it is also very good. They manage maintenance windows and inform customers, resulting in little to no interruptions to workflow. In terms of stability, I would give it a full score.

We work with medium to large organizations. Our typical environment has 500 servers. In volume, we're looking at 100GB in storage. From Splunk's view, we're doing rather small volumes. It's big in a Central European context, and small from a Splunk North American context. It can be pricey for small companies. 

I would rate technical support from Splunk Enterprise Security as a six out of ten. 

It's average, considering it's a very big product, and they handle several hundred tickets a day. I have opened 20 to 30 cases, and they helped me with only three to five of them. They try to close issues as soon as possible, often just offering documentation links. 

Even when I provide them with the core problem, they do not help much. The customer often has to rely on workarounds, custom scripts, and solutions which are somewhat lacking.

Neutral

Before Splunk Enterprise Security, I didn't use a different solution; this was my first job, and I started working full-time with Splunk about eight years ago. 

In the beginning, when they were testing, I was shown the OP5 and Nagios operating monitoring; we used tried them out, however, they were not really security-related.

You can quickly set up Splunk by downloading the package, unpacking it, and starting to work. It's straightforward to get a quick view of your data, and you do not have to worry about connections to databases; it will start parsing the data as soon as you hand it over. For bigger environments with several hundred servers, Splunk Enterprise Security is the best solution.

Customers see the value in investing in this solution, particularly when it helps resolve issues quickly, turning a potential 20-hour response into one hour.

It's still pretty pricey. It's an expensive solution for smaller companies. 

That said, if someone evaluating SIEM solutions wants to go with the cheapest solution, Splunk Enterprise Security is a very good option. It has difficulties in administration and setup, however, in comparison with other products, it's still a great platform.

My relationship with Splunk is that we are a partner and reseller partner. My organization does not monitor multiple cloud environments; we primarily monitor M365 and Azure environments from cloud products. We use the Microsoft Add-on for Splunk to read Exchange and Microsoft audit logs from the cloud. However, we still prefer on-premise solutions in our country.

We use the Mission Control feature. It's replaced another component. I don't use it too much myself. It's like a connector for SOAR. We're investigating its capabilities and have not implemented it fully.

Overall, I would rate Splunk Enterprise Security a nine out of ten. If you want to see your data quickly and in full view, it's very good - specifically for bigger environments.

I work with a couple of security solutions as well as devices. We have companies such as IBM, Splunk, QRadar, and many other SIEM solutions. I have worked with technologies such as DLP firewalls, proxies, file transfer solutions, and monitoring via security monitoring solutions. I am from a security analyst background.

Regarding Splunk Enterprise Security, we have both this product and Splunk as a SIEM solution with us.

Regarding Splunk's real-time capabilities, I have been using it from the monitoring perspective. We have been onboarding our customers over to the Splunk platform, gathering log details from the security monitoring perspective, and building alerts over the Splunk platform. It serves as a SIEM solution and SIEM provider by Splunk. Splunk is one of the most powerful SIEM platforms due to its flexibility, scalability, and advanced search capabilities as it uses the SPL language.

Splunk has interactive dashboards with cloud detection and cloud integration platform capabilities, having their own built dashboards which help to get all details with the VPC flows and AWS data, showing how much data has been thrown, what the detections and vulnerabilities are, and we can easily access that information.

From our security monitoring perspective, the most valuable features are the dashboards. Splunk has a wide variety of dashboards and widgets available so I can monitor ROI, MTTD, and MTTR, which are required to adhere to SLAs with respect to clients. Splunk Enterprise Security also has valuable features such as the Splunk Processing Language (SPL), enabling analysts to perform advanced threat hunting, incident investigation, and log analysis over massive data sets for longer durations in real time. It helps create custom detections and rapid investigation queries.

Splunk Phantom with automation setup helped us reduce MTTD and MTTR time significantly. The automation ensures that detections get automated and notified to customers quickly. We have been positively impacted with the Splunk setup regarding automation and detection.

Splunk detects threats in real-time using the Splunk Query Language and helps with reduced MTTD and provides higher efficiencies. AI facilitates generating investigation queries without manual crafting. Interactive dashboards assist with retention, allowing analysts to prioritize alerts and start investigations quickly. The SOAR helps automate alerts and manage ITSM incidents, reducing MTTD and MTTR. UBA adds visibility to abnormal behaviors of users, and we have detected impossible travel incidents in near real-time and contained unauthorized attempts.

Regarding Splunk Enterprise Security improvements, I think there should be licensing flexibility, including cost optimization for larger data volumes. Additionally, for new users, the SPL language can be difficult. Practical examples provided within the dashboards or the query sets of datasets should be presented.

Regarding the pricing aspect, more licensing flexibility is needed. Splunk provides licensing based on data volume. If data peaks are above average, extra charges can occur. This should be optimal based on averages.

I have been using Splunk Enterprise Security for three years.

Splunk Enterprise Security is stable. They have been pushing upgrades frequently, and this has remained stable as well.

Splunk has continuously helped in terms of any issues or outages, helping us troubleshoot and having troubleshooting calls on a priority basis. They act according to their severity tags.

We have been having positive ROI. Time spent on log analysis and threat detection is less, and centralized multiple security tools have improved analyst efficiency. We have reduced our MTTD by about fifty percent with real-time detections.

Splunk Enterprise Security has been helping us in terms of AI and detection quality. We have improved fine-tuning and reduced false positives. There have been no false positives in the environment, helping focus on true positives more.

Regarding risk-based volume, Splunk generates alerts based on risk and we focus on particular incidents. We have received positive feedback about RBAs helping with quick investigation and remediation. The Threat Topology helps with incident categorization and severity mapping. Minimal efforts bring content packs into production, requiring little fine-tuning.

I would rate this review a nine out of ten.

My main use cases for Splunk Enterprise Security are security, general security, and SIM.

The feature I appreciate the most in Splunk Enterprise Security is RBA. These features in Splunk Enterprise Security help my organization contextualize security alerts and put them in a framework that makes sense for our customers.

My organization uses risk-based alerting in Splunk Enterprise Security. Risk-based alerting in Splunk Enterprise Security supports my SOC by giving me a holistic view of what's happening and prioritizing alerts based on various risk factors that are important to me.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are zero-day events. I use disparate security solutions that integrate or import data into Splunk Enterprise Security. This integration supports my security operations by giving me a holistic view of what's happening in my environment. I find the process of customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security easier than other platforms.

On average, my security ops team takes fairly quickly to remediate security incidents with Splunk Enterprise Security, depending on the use case, minutes versus hours, compared to my previous solution, which was ArcSight.

Splunk Enterprise Security has helped improve my organization's business resilience.

My impressions of Splunk Enterprise Security's ability to predict, identify, and solve problems are good. I would say to other organizations considering Splunk Enterprise Security to solve your data challenges first and focus on data quality, and then everything else will work with your infrastructure.

Splunk Enterprise Security could be cheaper. More artificial intelligence implementation for features should be included in the next release of Splunk Enterprise Security.

I have been using Splunk Enterprise Security for nine years.

Splunk Enterprise Security is very reliable. I have not experienced any downtime, crashes, or glitches with Splunk Enterprise Security.

Splunk Enterprise Security scales efficiently with the growing needs of my organization. I have expanded usage, and the process was very smooth.

I would evaluate customer service and technical support as pretty good. There is a good community.

On a scale of one to ten, I would rate customer service an eight.

Positive

Prior to adopting Splunk Enterprise Security, I was using ArcSight to address similar needs.

I would describe my experience with deploying Splunk Enterprise Security as easy. I deploy it all the time, so it's easy for me.

I have seen a return on investment with Splunk Enterprise Security.

I don't deal with pricing, setup cost, and licensing mainly; however, everyone says it's pricey.

I was using ArcSight, and the factor to change was that it could not accept all the data.

On a scale of one to ten, I would rate Splunk Enterprise Security an eight.

My main use cases for Splunk Enterprise Security are insider threat, application security, incident response, and risk forecasting.

I appreciate the ability of Splunk Enterprise Security to tap into various network equipment and services on the network to pull it all into one place. That's my favorite feature.

The feature I've mentioned helps us in responding to incidents and disasters and different technical situations by being able to pull data from various sources and analyze it and take action.

Splunk Enterprise Security's Risk-Based Alerting, or RBA, has enabled us to prioritize and focus on the most critical threats and issues, while blocking out some of the noise and various information that can come from all these different sources.

Splunk Enterprise Security helps my SOC team prioritize and investigate high-fidelity alerts more effectively by enabling us to quickly gather information, collaborate, and provide various teams with access to the same information, allowing them to follow the workflow to complete the task.

Splunk Enterprise Security's ability to ingest and normalize data from diverse sources has enhanced our threat detection capabilities by making us aware of what's going on in the world, relating to our use cases and our threat tolerance, as we constantly pull in that information and brief everyone who has a stake.

Splunk Enterprise Security can improve in terms of being able to add to additional sources. They're adding many different ones, but as more cloud and data lakes emerge, being able to touch all those different new technologies that emerge together would be beneficial.

I assess the stability and reliability of Splunk Enterprise Security as very reliable and stable so far. We haven't had any glitches with testing out the first pilot use of it.

From my point of view, the biggest return on investment when using Splunk Enterprise Security is definitely being able to respond to incidents faster, adapt to future attacks by analyzing that information and doing risk-based management decisions, and also preparing for the future by looking at new technologies that can help us.

I'm not too involved with the pricing, the setup costs, and the licensing of the platform. It is pretty straightforward.

We just started turning on UEBA in our company, but we haven't really started utilizing it yet. There is a roadmap to try to do some of that stuff from the program side, and we just have to get access to it once the enterprise is ready to implement it and hand it over to the program office.

Even though we just started using UEBA, it's very useful, and it helps us set a bar for what normal activity is, and then it sets alerts and gives us awareness for anything that's out of the norm in terms of normal user behavior and the data that's being accessed.

My advice to other companies considering Splunk Enterprise Security is that you should definitely look into it, get your folks a proof of concept and try it out, send folks to training, and let them learn about it, and see how it can help you be better at securing your environment.

I rate Splunk Enterprise Security nine out of ten.

My main use cases for Splunk Enterprise Security are threat alerts.

The feature I appreciate the most about Splunk Enterprise Security is the dashboard. It has supported my SOC by making their job easier regarding notifications. It also reduces the time they have to spend using other tools to help them out, cutting down on their workload.

When it comes to incidents, we are able to detect, monitor, and handle incidents that come in. We can take those incidents and correlate them to other tools that we use. It serves as our single pane of focus.

Our security ops team's remediation time with Splunk Enterprise Security is measured in minutes. One notable improvement has been the maturation of our SOC, which now features a single pane of glass for incident viewing.

The correlation of events is the most significant challenge I face when using Splunk Enterprise Security for advanced threat detection. I am still looking at version 8 to see how it can be improved or how we can utilize it better.

I have been using Splunk Enterprise Security for three years.

I assess the stability and reliability of Splunk Enterprise Security as having some issues because we have problems with our SC4S. We are working through it. There are some things that we need to troubleshoot, but we are addressing those.

It is easy to scale Splunk Enterprise Security, and the plan is to expand it, however, we are in the planning stages right now. My experience with scaling has been smooth.

I evaluate customer service and technical support as good, with no issues.

On a scale of one to ten, I would rate customer service and technical support an eight.

Positive

My experience with pricing, setup costs, and licensing is that they are expensive and growing, but that is really above my level. Our C suite handles more of the pricing aspects.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security not overly complicated because we use Splunk resources to help us with this. It is not as challenging as we would think it would be.

I have seen a return on investment with Splunk Enterprise Security.

I use other security solutions that integrate or import data into Splunk Enterprise Security such as CrowdStrike, Proofpoint, and a threat intel platform called ThreatConnect.

My advice to other organizations considering Splunk Enterprise Security is to weigh their options, but I would definitely recommend it.

On a scale of one to ten, I rate Splunk Enterprise Security an eight.

Our purpose for using Splunk Enterprise Security is SIEM.

Machine learning has been incredibly beneficial in our efforts to detect various threats. For example, we pull all security logs and utilize the MLTK framework, which helps us identify potential risks effectively. So, overall, it's been quite helpful.

We use the risk-based alerting feature. For instance, when it detects a failed login attempt, it assigns a risk score to it. This allows us to utilize the risk-based alerting features effectively to prioritize incidents based on their severity.

Risk-based alerting generates notifications based on the level of risk associated with a transaction. This approach effectively assists in monitoring transactions, such as payments. It allows us to track the progress of a transaction, from initiation to completion, and identify any errors that may occur during the process. If there are numerous errors, we can assess the risk and determine whether the transaction might be a false positive.

Splunk Enterprise Security has been very helpful in this regard. However, I've noticed that improvement is still needed. We need to analyze the data more thoroughly. While this can be quite complex, finding a simpler solution would be beneficial.

The best features of Splunk Enterprise Security are the correlation rules and automation over the correlation rules. We can trigger alerts and notifications. The alerting and notification mechanism is really powerful and good. 

It needs more AI integration. The threat intelligence framework requires some AI functionality, which would be helpful.

We have been using Splunk Enterprise Security for a couple of years, and I have been on the ES team for the last year. I have also used it in my previous company.

The stability of Splunk Enterprise Security rates at eight out of ten.

It is scalable. We can only increase the environment. For instance, with an ES server, we cannot make a cluster of ES. If you have two servers and want to make a cluster of these two servers for ES, that is not possible. There is only one server, and if you want to increase scalability, you must increase the RAM and memory for that same server. The scalability is an eight out of ten.

We simply request Splunk support to increase our storage or make other adjustments as needed. We don't have access to AWS; all of that is managed by Splunk. We just need to reach out to them and say, "Please increase our storage by one terabyte," and they can handle that for us.

Technical support for Splunk Enterprise Security is very good. We have daily calls. They are very helpful, rating at nine out of ten.

Positive

We tried LogScale in the past, but it has very limited functionalities and not a proper UI. It offers approximately 10% of Splunk Enterprise Security's capabilities. We haven't found any solution comparable to Splunk Enterprise Security.

We utilize a combination of both cloud and on-premises setup. Specifically, we use Splunk Cloud for search indexes and other things. On the on-premises side, we have our heavy forwarders, standard forwarders, and user-defined forwarders. So, we effectively integrate both approaches.

The deployment for Splunk Cloud is very easy. They have predefined templates and setups on the AWS end. They utilize many AWS features. If you terminate any indexer, it will spawn up again. This type of automation exists with Splunk Cloud, making it really efficient.

It doesn't require any maintenance, but when we are doing batch upgrades, we need downtime, which is acceptable. It's four to five hours of downtime.

Currently we have a team of seven people for Splunk Enterprise Security, with additional staff using Splunk Cloud and related services.

Splunk Enterprise Security helps to save a lot of time, which is our main purpose. Whenever something is wrong in our environment, we immediately get an alert. It saves time and costs. Compared to traditional methods, Splunk Enterprise Security saves approximately 40% to 50% of time.

For small customers, Splunk Enterprise Security is quite expensive. For my team with a substantial budget, the cost is acceptable.

I would definitely recommend Splunk Enterprise Security because if you are really concerned about security and want to follow compliance rules, this product is really helpful.

Splunk Enterprise Security helps save significant time and money, which most customers are looking for. It is easy to configure and manage. If you have certification or basic knowledge of Splunk Enterprise Security, it provides excellent job opportunities. The solution provides numerous helpful dashboards where you can directly check threats and other metrics. 

Overall, I would rate it an eight out of ten.