Splunk Enterprise Security Reviews

I've been building SOCs for multinational banks across Asia and Australia, the Middle East, and right now in the United States.

It's the tool that we use to build SIEMs to meet logging requirements and to identify security issues across larger states of data sets.

We wanted to give our analysts visibility in near real-time to problems as they occur. That's the goal. 

By using the frameworks that we've adopted, like MITRE ATT&CK and the coverage mapping, we're able to show the divisions that we have in our detection environment. And we map that across with our prevention layers just to describe to the business the deficiencies we have. We can show, for example, these are the areas we can't see since we don't have logging for them, and or these are the areas we can spend more time on to draw down risk due to the fact that, while we have the logging, we haven't got the searches and correlation searches in place. That would perform detection behind the preventative controls. So it gives us a guide as to where we can spend time better.

The feature that we use the most is the correlation search engine within ES. That is the one we use. Absolutely the most. There are a lot of other features in there, however, that's the one we use.

Our organization does monitor multiple cloud environments. It's not "easy" per se. I'm a Splunk-certified architect. I've got 30 years of experience. If you've got 30 years of experience and you're a Splunk-certified architect, it's easy. If you haven't, you've got no chance.

Splunk Enterprise Security's visibility into multiple environments, for example, cloud, on-prem, and hybrid is good. Splunk doesn't care. It's as easy on-prem as it is on the cloud, as it is hybrid. I've built up all three individually and separately depending on the environment.

The insider threat detection capabilities for helping our organization find unknown threats and anonymous user behavior are okay. It can do it, however, it is not out of the box a UEBA. It doesn't pretend to be. Splunk has a separate product for that which is not the enterprise security suite. That said, if you enable the access domain correctly within ES, it gives you really good insight into what your Insight users are doing. That's what the access domain is. However, it doesn't have the advanced features that you would expect from your UEBA product as it is not one.

We use the threat intelligence management feature. My impressions of the actionable intelligence provided by the threat intelligence management feature are mixed. We import anomaly threat intel into the Splunk ecosystem to do that. We use the framework that Splunk provides, and we supplement it with the threat intel from a third party, and that works really well.

We use the MITRE ATT&CK Framework. We’ve mapped all of our detections around that Miter framework. There's there's four frameworks built in, and we chose Miter. It just makes more sense. You only pick one. There’s no sense in picking more than one.

It’s helpful to uncover the overall scope of an incident. If you've done the work to map your MITRE ATT&CK Framework into the product, then you have a hit against a MITRE ATT&CK technique. Then at least you know where it is in the MITRE ATT&CK framework so that you can describe it as a common frame of reference with a third party. However, it doesn't necessarily give you an idea of the scope. It requires more effort. That said, it's certainly a really good starting guide as to where you are.

Splunk Enterprise Security is okay for analyzing malicious activities and detecting breaches. It's only as good as the operators that use it. Out of the box, it doesn't do anything. You have to put the work in to make it do that. I can't begin to say how useful it is when it's first configured. You need to spend a lot of time working on your environment to make it do that.

It helped us detect threats faster. Without it, you can't check anything. It's too complicated.

The solution has helped us speed up our security investigations. Without it, you don't have investigations. Also, with the alerting itself, Splunk becomes best of breed.

Enterprise Security hasn’t helped us reduce our alert volume. The analysts have, however.

We do all of our enterprise security on-prem. We avoid the Splunk Cloud solution since we want the flexibility to build our own. It is a hugely complicated product. Obviously, anything that they could do to make it easier would be ideal. 

I've used the solution for over ten years. 

It's rock solid. It never failed. Having resilience in our organization is fundamental to our security position. 

We're a multinational and have Splunk in the UK and US. We have 2,000 employees, and 2,000 endpoints, at the employee level. We also have around 12,000 production endpoints and it runs across a multi-cloud hybrid that includes GCP and AWS. It also has a tiny on-prem footprint.

You can horizontally scale someone instantly. I've never been afraid we would exceed horizontal requirements. 

We don't use technical support. 

I did not previously use a different solution in this company. 

A long time ago, the company replaced ArcSight with Splunk. 

The initial deployment was complex. 

Our strategy has been to avoid clustering for searching and to build a significantly larger virtual machine for running the ES environment as a stand-alone. It's got 128 cords and 256 Giga RAM so that it can run inside itself and not have to cluster since a cluster adds too much complexity.

We only need one person, myself, to deploy the solution. I'm a Splunk certified architect and I have 15 years of experience doing nothing but Splunk. 

The solution does require some maintenance. We have seven people in total handling maintenance. 

I have witnessed ROI. However, luckily, our center does not have to pay for the license. 

We get enterprise licensing via Intuit, our parent company. The licensing is horrendously expensive. 

I did not evaluate other options. This solution was in place when I arrived. 

I'm an end-user.

If you are looking for a cheaper option, you probably don't have a focus on security or have a risk that you care about enough to purchase a premium solution. If you look at the Gartner roadmap, Splunk is a clear leader, and it's always at the top right quadrant. Everything else is attempting to catch up to Splunk. There's no one else in front of it. If you choose something like Elastic or Sumo, your company doesn't place an emphasis on security. 

I'd rate the solution nine out of ten. It's a lot of work. Almost nothing works out of the box. You have to invest in it for three to five years at a minimum. 

Our use cases are for creating security analytics for our SOC team.

Splunk Enterprise Security is one of the Splunk tools we use to mature our security posture. We use it to be on top of potential threats to the organization.

The benefits include the easy integration with other Splunk tools including Splunk UEBA, Splunk ITSI, and Splunk Core. The ease of integration and the organization's experience and familiarity with searching and passing logs through Splunk are the main benefits.

Apart from the legal and compliance requirements for the bank, it's important that the bank is ahead of bad actors to be able to proactively detect and prevent threats to the organization. At the end of the day, the goal is to protect the organization, the stakeholders, shareholders, the bank's reputation, and the users and customers of the bank.

The Splunk incident response dashboard is pretty useful because it helps first responders triage incidents and properly escalate when necessary.

We find Splunk very useful on the enterprise level to detect and prevent security threats.

Splunk Enterprise Security has definitely helped improve our organization's ability to ingest and normalize data. We have many log sources and over ninety thousand staff. We have endpoints, servers, Syslog Data, and BYOT data. Splunk has been instrumental in maturing the security posture of the organization.

Splunk does a pretty good job at identifying threats in real-time. 

It provides us with the relevant context to help guide our investigations. During onboarding, once the log sources are properly onboarded based on Splunk's recommendation for SIEM compliance, we found real value in being able to aggregate different types of data and load them properly so that we can then pass on and access them very easily. 

It has improved my organization's business resilience. We've been able to mature our security program and posture over the years.

The ability to see everything from a single tool is very helpful. From the context of communication with our executives, being able to show them a unified dashboard to see the security posture has been very useful. For example, our executives can see the security posture or position of all of the branches of the bank from a single dashboard. Dashboards like that give them peace of mind to have that kind of visibility to know the state of things. Splunk is very instrumental in that. 

The incident response dashboard could be more user-friendly.

In the next release, I would like to see the integration of Splunk Enterprise Security with Splunk UEBA. That's a big one. We've spoken with the engineers working on a new UEBA integration with Splunk but right now Splunk UEBA is a separate setup entirely.

I have been using Splunk Enterprise Security for three years.

Splunk Cloud has its advantages. The company might be moving in that direction because you don't worry about infrastructure. But being on-prem part of what we worry about is the underlying infrastructure of Splunk, which is directly relevant to the stability. The resources used for search and load are tied to the infrastructure behind it. It's been stable. 

We've been able to scale rapidly to meet our needs. Splunk Cloud could be advantageous because it's a platform and it will cut out the worry and the need to manage infrastructure on your own. 

I work more with Splunk UBA. My experience with my rep has been good. 

I would rate support an eight out of ten only because everything has room for improvement.

Positive

It's an on-prem deployment. I have more experience setting Splunk up in a Linux environment. It's been a good experience.

I would rate Splunk Enterprise Security a seven out of ten because there's room for improvement. Splunk always positions itself as a market leader. This would involve understanding your competition, seeing their products, and seeing how you can improve to meet their customers' needs. 

From my experience, Splunk has done a good job at that because we have customer success reps who are concerned about how Splunk is meeting our needs. Splunk can definitely do better which is why I'm giving it a seven. 

I am on the intelligent engineering team responsible for onboarding logs and operationalizing Splunk Enterprise. We have a separate team for creating use cases and other stuff. I onboard logs and manage the infrastructure. When you onboard various logs, it creates different data models and normalizes the fields for compliance.

We have created a few custom use cases for Splunk that have helped us detect threats faster. For example, we set up endpoint-related data models and specialized setups for various scenarios. It's more efficient than some other products I've used. 

Splunk has sped up our security investigations. We can automate some functions using playbooks, like automating scans for perimeter vulnerability. If you have the signatures, Splunk can intervene automatically to block threats according to the playbook. 

Splunk lets us integrate multiple third-party threat intelligence feeds. We can also customize the data models for correlation more than we could with competing SIEM solutions. We can filter out the noise and see our alerts. 

I created some security reports or dashboards. We also have dashboards for user requests related to our firewalls, like Palo Alto and traffic or activity alerts. We can also see where we're getting a lot of authentication failures, etc. We've also created some other custom use cases, like using VPN logs and use cases for analyzing the national origins of repetitive malware. We have integrated some other solutions like Carbon Black EDR or MDR as well as Vectra, which is fully automated with AI. They have their own signatures.

We get decent visibility with Splunk and integration with data visualization tools like Grafana. We also have various threat intelligence feeds that are updated regularly with the latest IOCs and signatures, which we can use for threat hunting. 

The access and identity features could be improved. For example, let's say we have onboarded 65 logs. Now, we can identify the various processes, but we run into trouble when we're updating the processes for AWS CloudTrail, EDR, MDR, and XDR. 

I have used Splunk for the past three or four years. 

Splunk is stable. It has around 97 percent uptime in my environment. 

I rate Splunk Enterprise Security nine out of 10 for scalability. 

I rate Splunk technical support seven out of 10. We rarely rely on Splunk support except for critical upgrades and migrations. Sometimes, we open a ticket if we see a performance problem, and they find a solution. Typically, we find a solution for our issues online in user forums or knowledge bases.  

Neutral

Previously, we used some open-source solutions, Sumo Logic, and Graylog. 

We have Splunk deployed in two environments for different purposes. One is for ITSI, general dashboards, and our APM application. That is deployed in the cloud. We have it in an on-premises environment for enterprise security. We have a cluster that spans three data centers. Deploying Splunk is easy if you have some experience.  Configuring the log sources, managing the indexes, and learning all the features is more challenging. 

Splunk doesn't require maintenance aside from the disaster recovery and DLP aspects. We have a huge environment in different data centers set up for high availability. 

Splunk is expensive, but you can get a lot out of it if you have the expertise and know how to customize it. It's more customizable than other platforms.  In Java or .NET, everything is pretty defined, so you can't do much customization, whereas Splunk lets you customize dashboards, alerts, and reports using SQL. The cheapest solution is always open source, but these products don't have many capabilities. They might work in a small environment. I would recommend trying LogRhythm, ELK, or Google Chronicle.

Splunk is very expensive because we have recently integrated another solution, and 40 percent of the licensing cost is driven by that. 

I rate Splunk Enterprise Security nine out of 10. I would recommend Splunk to others. When implementing Splunk, it's crucial to set up your use cases, onboard threat intelligence and log sources, and create data models. Using simple XML language, you can create a data model and a simple pivot table to generate complex reports. 

We mostly use the solution for compliance, logging, log storage, and root cause analysis. In 2015, we had AIG as a client, and they only had Splunk. Splunk Enterprise Security is one of the oldest solutions that did the logging and storage.

Splunk has fantastic brand value, which helps us sell it as resellers. The solution's pricing is quite competitive. The solution meets all the requirements. As a compliance person, I know that log storage is very important for data privacy compliance guidelines like ISO or CCPA. Splunk provides all of those compliances and checkmarks.

I like that the tool is light and the agent doesn't slow down the machine. Splunk Enterprise Security is a standard solution providing good customer service and partnership.

The solution should improve regional knowledge of the new regulations coming out of the Middle East. As a consulting firm, we are currently targeting many Middle Eastern markets, including Saudi Arabia and Dubai. They don't have a local server support cloud center there, which is a big issue because they don't want their data to go out of the region. Splunk should have more regional data centers in the Middle East.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security provides good stability.

The solution's scalability is fantastic. Even 10,000 to 50,000 endpoints don't slow anything down. The servers, log storage, and ingestion work smoothly, irrespective of whether there are 5,000 or 50,000 endpoints.

The solution’s technical support is very good.

Our customers using Splunk Enterprise Security don't have any compliance issues, and they don't get fined by the regulators, which saves them money.

Splunk Enterprise Security's pricing is pretty competitive.

I'm a consultant who uses Splunk for other clients. It's important for the clients that it can communicate with all kinds of devices, like firewalls, WAFs, servers, endpoints, switches, and routers. All of that is figured out over time, which is useful.

Splunk Enterprise Security is a good tool for finding security events across multi-cloud, on-premises, or hybrid environments.

Splunk has helped improve our organization's ability to ingest and normalize data. It can also identify and solve P1 or high-critical-priority problems in real-time.

Splunk Enterprise Security has helped us reduce our alert volume by around 50%.

The solution provides us with the relevant context to help guide our investigations, and this context information has impacted our investigation process. Having all the data in a single place does help with post-incident response and forensic root cause analysis.

Splunk Enterprise Security has significantly helped speed up our security investigations. I save 60% to 70% of my time because it's easier to find what I want to find through the tool's user interface.

Splunk Enterprise Security has helped reduce our mean time to resolve by around 50%.

Overall, I rate the solution ten out of ten.

We essentially use Splunk for our Security Operations Center (SOC). All of the notables that we create for the SOC are done in Splunk Enterprise Security. It is our SIEM.

I cannot put a value on it, but it has been pretty good. Previously, we used to use ArcSight. I used to do incident response when I first joined the SOC, and there were times when I used to sit down and run a search right at the start of my shift, which is at 7 AM, and I used to hope that it would be run by the end of the shift at 7 PM. I used to hope that it would run in 12 hours and not time out. When we got Splunk, it was a game changer. It took seconds to a minute depending on how intense the search was.

We monitor multiple cloud environments. It is easy to ingest data in Splunk. Based on what I hear from our customer success manager, he has customers who have issues ingesting logs, but for me, it is one of the easiest things ever. Their documentation is fantastic.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is very important for us. When we first got cloud, it was like the Wild West. Anyone could spin up their own cloud infrastructure, and we would not know about it. It was public. We did not know what they were doing with it. Now, we have a better grasp and understanding of what is out there, so Splunk makes it easy for us to keep track of our endpoints that are public-facing.

Splunk Enterprise Security has helped reduce our mean time to resolve. As compared to ArcSight, it has saved at least three to four hours per incident. We utilize a SOAR platform. We do not use Splunk SOAR. We use a different SOAR platform, but with the combination of Splunk Enterprise Security and our SOAR platform, we are able to cut down our mean time to resolve. The time saved varies depending on the case. A normal case would probably take less than ten minutes per investigation. A critical P1 case would take more time, but a normal day-to-day case would take less than ten minutes for our analysts to do their work. A normal case is where a user clicks on a phishing link in an email, or your EDR solution says something happened and there is a threat actor in your environment moving laterally trying to access data.

The correlation searches are most valuable just because we are able to do things like RBA. One of the things that we started pretty recently is our insider threat program, and it has been pretty good, especially using RBAs as our framework for the insider threat.

The UI could be better. This is applicable to Splunk in general. I know that a lot of people who get their hands on Splunk are hesitant to use it just because they find it overwhelming. There are a lot of options. If you open Google.com, you just have a search bar. You just search and hit "go," but when people look at Splunk, they are just overwhelmed. I see that with our analysts. Even after training, if they do not use it every day, which they should be doing, they kind of lose it.

Its learning curve is a bit steep. It is hard for users to use it. For individuals who know how to use it, it is fantastic. It is great. For example, if you are a Splunk Cloud customer, and you had an outage or there is a maintenance window, those individuals who are power users would know immediately when it happens or they would know that there is a maintenance window coming up because they are the experts. They are the SMEs on their teams, and they are the ones creating value using Splunk. Individuals who do not know how to use it are intimidated.

We have been using Splunk Enterprise Security since 2017. It has been about six years.

Its stability is amazing. It is always up. It is fantastic.

It is awesome. When we first purchased Splunk Cloud, our ingest rate was about one terabyte or one and a half terabyte. We moved from the ingest-based license to the workload-based license three or four years ago, and now, we ingest about 10 to 12 terabytes. It is handling that just fine as if nothing has changed.

I would rate their support a six out of ten because there are times when someone picks up a support case, but they do not know what they are doing. I have to guide them. It is like, "I have already done the research. This is what needs to be done. There you go. Do it." I expect a little bit more from support in terms of having the knowledge upfront.

Neutral

We had on-premises ArcSight. We had one guy run it for our enterprise. Our enterprise has roughly over 130,000 people. We are a global company, and we had one guy run the entire infrastructure. We could tell when he took days off because it would not work. When we moved to Splunk, we went to Splunk Cloud immediately. We were one of the first Splunk Cloud customers or one of the bigger ones. That is what I was told when we made the switch.

I do not know whether we have seen any cost efficiencies by switching to Splunk Enterprise Security because I was not there during the ArcSight days per se. I was there at the very tail end, but I would assume that we have seen cost efficiencies just because ArcSight was only used by the security team, whereas Splunk is used enterprise-wide, not just by the security team. It should be cheaper for us. The value is there. It is cross-functional.

I was not involved in its deployment.

Its time to value was about a year. It took us about a year because back in 2017, we were making that conversion from an on-premise ArcSight deployment to a Splunk Cloud deployment. We had to make sure that everything that was being sent to ArcSight was sent correctly to Splunk. We had to make sure that everything was in a common information model format and that we could rebuild the content.

Splunk Enterprise Security is cheaper than competitors, but I do not know whether it is just our contract. 

Everyone says that Splunk, in general, is expensive. I have talked to many peers within our industry, and I know a lot of individuals who are moving away from Splunk just because of the price. That is one of the reasons why we are looking at other competitors to see if anyone is doing something better than Splunk and has a cheaper rate.

I have looked at other competitors. We recently looked at CrowdStrike's LogScale solution. It feels like Splunk to me. I cannot say how we would reproduce what we have done in Splunk on the infrastructure side or backend. Our environment is uniquely different. Technically, I am the only person who runs Splunk for our entire organization, similar to the way the previous person ran ArcSight for the organization. If I were to compare apples to apples, Splunk to me is still number one in that category.

Splunk's community is the biggest benefit. It is so easy to go to Slack and hit someone up. There is a good chance that you will find someone out there who has run into the exact same issue that you are having. Their documentation is fantastic. Because I am the only one who runs it for our organization, it is easy for me just to Google it, find the document, and just follow it. It is as simple as that. It gets a little dicey with XDR and all the other things that are happening in the market, such as using a data lake. Instead of putting our eggs in one basket or using Splunk, we might use something like Snowflake.

I get introduced to new ideas by attending the Splunk Conference. In the year before last, someone did a talk about business email compromises. Within our company, we did something similar, and we did it about nine to ten months before the talk. I listened to the talk to see if we were doing anything different from what they were doing. I found out that we were doing the exact same thing essentially. I thought, "We could have done a talk like this too." These talks are very helpful. For example, they showcased the attack analyzer, and currently, we are looking for an automated online sandbox, just like the attack analyzer. We have been looking at cloud-based sandboxes that are out there. Being able to see it hands-on and how it interacts with Splunk makes it much easier for us to make that decision.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

We monitor secure events and notable events in the system and watch for outside intrusion. We create a lot of dashboards to respond to these events. It's used to monitor our live system, and as things occur, such as alarms and other notifications, it's really helpful.

We've captured many security intrusions and all kinds of threats trying to access the system and cause issues, particularly with the FAA in Alaska.

It's been great for us so far.

Splunk Enterprise Security provides end-to-end visibility into our environment is really critical. If we don't capture these events and something happens in the system, it could cause havoc to the telecommunications system in Alaska and really mess up air traffic.

Splunk Enterprise Security has been fantastic in helping us find any security event across multi-cloud, on-prem, or hybrid environments. I would give it a ten on ten.

It 100% improved our organization's ability to ingest normalized data. Splunk's ability to identify and solve problems in real time has been great. We use it in real-time every single day, 24/7.

Moreover, it helped us reduce our mean time to resolve. 

It helped us improve our organization's business resilience. We have great impressions of its ability to predict, identify, and solve problems in real-time. 

It 100% helps us consolidate networking, IT security, and IT and observability. Just being able to have everything in one spot together, a one-stop shop, is huge.

The dashboards let us dig deep into our actual system. Our system is spread throughout Alaska with about 70 sites, each with all kinds of equipment. Splunk Enterprise Security helps us mine through that data and look for security events.

I have been using it for about ten years now. We use it in our system in Alaska. Basically, it's the software we use to do a lot of our monitoring of the system and dig deep into the data.

It's been great. The site is constantly up, and it's been really easy to adjust the data.

It's been pretty good. I've never had to deal with it personally.

Ever since I started here, we've been using Splunk.

I'd give it a nine out of ten. There's always room for improvement, but Splunk is pretty great. It's one of our main tools.

Splunk Enterprise Security serves as our primary tool for endpoint detection.

Our organization manages security across multiple cloud environments. Splunk Enterprise Security is a valuable tool in this process, offering a comprehensive dashboard that centralizes monitoring for all our cloud deployments. This unified view allows us to efficiently track security posture and identify potential threats from a single location.

Splunk Enterprise Security offers strong capabilities for detecting insider threats. This security platform excels at analyzing data from a variety of sources, allowing it to identify unusual user behavior patterns.

It does a good job of analyzing malicious activity and helps us detect threats faster.

Splunk Enterprise Security helps reduce our alert volume and helps speed up our security investigations.

In our financial institution client environment,  The insider threat detection capabilities allow us to closely monitor credit and debit card transactions for any signs of compromise. By leveraging Splunk's capabilities, we can proactively identify and address potential security threats that might impact our client's financial data.

We have improved our incident response time with Splunk.

Splunk Enterprise offers a variety of apps that cater to different needs. These apps provide features like directory management, add-on and data model control, report dashboards, and alerts. Notably, some of these functionalities are available in the free version. Additionally, there are separate apps for security purposes. Our EMEA region has its own set of apps, allowing them to upgrade, maintain, and manage separate dashboards specific to their requirements.

Dashboards can be customized to allow users to easily monitor specific data relevant to their needs. This might include data segmented by country, region, or even customer credit card information. By customizing the view, users can quickly identify trends and gain insights into areas of particular interest. Additionally, dashboards can be configured to automatically display default information or alerts upon opening, further streamlining the monitoring process and ensuring users can find the specific data they need right away.

Splunk Enterprise Security is a valuable tool that allows us to monitor data from the APS daily. This monitoring focuses on the success or failure of APS calls. Successful calls are identified by a status code of 200, while unsuccessful calls are indicated by a status code of 400 or any other code. By monitoring these codes, we can proactively identify situations where the intended data retrieval fails due to backend server issues. This distinction is important because it helps us differentiate between failures caused by backend server problems and those resulting from issues with the monitoring team's ability to send requests. This clear separation allows a dedicated team to investigate these specific backend server failures and implement resolutions.

Data profiling, data onboarding, and data maintenance are all crucial steps in ensuring the quality and usability of our information. However, encountering missing files disrupts this process. When files are absent, troubleshooting becomes difficult, and performance issues inevitably arise.

I have been using Splunk Enterprise Security for many years.

Splunk Enterprise Security is stable.

The initial deployment is straightforward.

I would rate Splunk Enterprise Security eight out of ten.

Splunk Enterprise Security is a powerful security solution that offers flexibility. This flexibility empowers our team to adapt and respond to evolving threats. With Splunk Enterprise Security, we have the tools and adaptability to effectively address whatever security challenges we encounter.

I recommend Splunk Enterprise Security as the most suitable solution for monitoring and protecting our data.

We use Splunk Enterprise Security to secure our client's network and provide clear visibility.

Our client lacked an SIEM solution to comply with regulations, so we recommended Splunk Enterprise Security, and they agreed to implement it.

Splunk Enterprise Security provides complete visibility into the environment. We can add any data to the indexer, and it will begin to be displayed. All we need to do is create use cases tailored to the client's needs.

Splunk's threat intelligence management capabilities are strong, thanks to its user-friendly interface and ability to correlate data from various sources. While it competes favorably with other SIEM tools, its effectiveness ultimately depends on how it's configured.

The actionable intelligence from Splunk's threat intelligence management feature helps us understand what's happening in our environment, enabling further investigation.

We updated the IOCs within the MITRE ATT&CK framework indexing for Splunk. This allows us to compare all received alerts against the MITRE ATT&CK categories. By using the MITRE ATT&CK framework, I can identify the potential type of threat, its mitigation strategies, and the overall attack behavior. Furthermore, I can use the framework to investigate the affected hosts, their origin, and the attack vector.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security has improved our detection time.

Splunk Enterprise Security has improved our clients' security posture by providing them with better visibility into vulnerabilities, along with proper mitigation strategies and clear explanations. The benefits are apparent within the first month.

Splunk Enterprise Security helped us reduce our alert volume. Initially, the high number of alerts was overwhelming because we were in a new environment, but the volume gradually leveled off and decreased by 50 percent.

Splunk Enterprise Security has accelerated our security investigations by 30 percent. It integrates seamlessly with our EDR solution, providing a single pane of glass view for all security logs.

Splunk Enterprise Security offers valuable features like seamless integration and a SQL-standard Structured Query Language for easy searching. Additionally, implementing devices is straightforward, similar to a plug-and-play process.

Splunk's insider threat detection capabilities have limitations. While it offers customization, pre-configured rules for common threats are scarce. This means we need to create our own rules, which can be effective if we have the expertise and understand our specific needs. However, behavior analytics seem less useful and have room for improvement.

Splunk's implementation process for managing multiple indexes can be complex, especially when dealing with a large number of components.

Splunk could benefit from a feature that allows users to indicate they are working on an alert or incident. This would prevent other users from wasting time investigating the same issue. Ideally, this wouldn't involve a formal assignment, but rather a temporary indication that someone is currently looking into it.

I have been using Splunk Enterprise Security for 9 months.

Splunk Enterprise Security is reliable and the stability is a ten out of ten.

Splunk Enterprise Security offers good resilience. Even for unsupported tools, simple integrations can be customized. Splunk is constantly improving.

I would rate the scalability of Splunk Enterprise Security ten out of ten.

The technical support team is excellent. They proactively identify and inform clients about any vulnerabilities or security gaps in their environment.

Positive

The initial deployment of Splunk Enterprise Security was fairly straightforward. While the documentation is comprehensive, fully deploying the solution can be time-consuming. The timeframe can vary depending on your environment's complexity. For instance, a company with 1500 to 2000 employees and a large number of systems and servers might require a month for complete deployment.

I collect the client's requirements and then open a support ticket with Splunk. The ticket will address configuration assistance and, if the deployment is in the cloud, will inquire about the client's storage needs. After I submit the ticket, Splunk will communicate directly with the client.

The deployment involves several teams, and I lead the oversight of both the deployment itself and the analytics function, ensuring a seamless process.

While some clients find the cost of Splunk Enterprise Security to be on the higher end, its pricing is comparable to other SIEM solutions. Ultimately, the value it delivers justifies the investment.

Don't simply choose the cheapest SIEM solution. Consider your organization's specific needs and environment. Even if you prioritize affordability right now, I can offer more powerful tools. However, the best solution isn't just about price. It depends entirely on your environment. Therefore, you need to establish a budget based on your specific requirements. Ultimately, the ideal SIEM solution aligns with your organization's needs.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk Enterprise Security requires maintenance for new onboarding, log management, and archiving. A maximum of two people are required for the maintenance.

Splunk Enterprise Security is a robust security solution that's easy to manage after initial configuration.