Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security include insider threat hunting, supporting operations, and Threat Intel integration for security; I have a lot of use cases.

The features of Splunk Enterprise Security benefit my organization by providing a faster response and making it easier for the analyst to investigate.

The features I appreciate the most about Splunk Enterprise Security are the Enterprise Security features, the threat intelligence of Enterprise Security, the onboarded ones, and the versioning of the rules introduced on Enterprise Security; these are the top ones.

My organization uses risk-based alerting in Splunk Enterprise Security. Splunk Enterprise Security has supported my SOC a lot, however, we have some challenges due to the architecture of our network, so there is some custom work to be done by Splunk engineers to help us maximize the benefits.

I am using new threat detection features in Splunk Enterprise Security, including the onboard ones and Mandiant. These new features have highly improved our threat detection capabilities.

Splunk Enterprise Security has helped improve my organization's business resilience.

I'm not dealing with pricing, setup costs, or licensing for Splunk Enterprise Security; I'm focused on the technical part. What works with Splunk Enterprise Security is that it does work in general; I haven't faced any challenges; it's great.

Improving Splunk Enterprise Security is a challenging task; I have already reported several technical issues to the relevant teams and received solutions from them.

One favor I ask for them is just to keep maintaining the on-prem version of Enterprise Security and not move everything to the cloud since we operate mostly in an air-gapped environment, so we only use some of the features of it.

Some additional features that should be included in the next release of Splunk Enterprise Security are an integrated Attack Range, not as a separate solution, and providing a way to test the rules in the production environment.

I've been using the solution for 11 years.

I have not experienced any downtime, crashes, or performance issues with Splunk Enterprise Security.

Splunk Enterprise Security scales pretty well with the growing needs of my organization; we don't have issues. I have expanded the usage of Splunk Enterprise Security a lot. The process of expanding usage has been smooth; I have no problems so far, and it scales very easily.

I would evaluate customer service and technical support for Splunk Enterprise Security as fast.

I would describe my experience with deploying Splunk Enterprise Security as straightforward.

I have seen a return on investment with Splunk Enterprise Security, definitely, however, I don't have the specific metrics to back that up.

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is alert fatigue. Although there are ways to mitigate it, it remains a persistent issue, as evidenced by complaints from analysts. While alert fatigue is alleviated to some extent, it still persists.

My advice to other organizations considering Splunk Enterprise Security is to at least give it a try; I know there are other solutions in the market, some of which may even be better than Enterprise Security, however, you have everything on a single pane of glass, so I think it's definitely something that enterprises should test.

On a scale of one to ten, I rate Splunk Enterprise Security an eight out of ten.

On-premises

Typically, the standard approach for Splunk sizing involves gathering data from the entire IT environment, regardless of whether it's hardware, virtualized, or application-based. This data is then collected and monitored through Splunk as a comprehensive security solution. We also work with Splunk-related platforms like Application Performance Monitoring to provide a holistic view of system performance. Recently, we implemented this solution for a bank in Jetar. Splunk excels at collecting high-volume data from networks, making it ideal for performance monitoring and scaling. During the sizing process, it's crucial to calculate the daily data ingestion rate, which determines the amount of data Splunk Enterprise needs to process and visualize for security purposes. Several factors need consideration when sizing Splunk: tier structure hot and cold buckets, customer use cases for free quota access, and storage choices based on data access frequency. Hot buckets typically utilize all-flash storage for optimal performance and low latency, while less frequently accessed data resides in cold or frozen buckets for archival purposes. In essence, the goal is to tailor the Splunk solution to meet the specific needs and usage patterns of each customer.

One challenge that our customers face is slow data retrieval. Customers may experience delays in retrieving call data due to complex search queries within Splunk Enterprise Security. These queries can sometimes take up to an hour and a half to execute. Our architecture incorporates optimized query strategies and customization options to significantly reduce data retrieval times. This enables faster access to both hot and cold data. 

Another challenge is scalability constraints. Traditional solutions may have limitations in scaling to accommodate increasing data volumes. This can be a significant concern for customers who anticipate future growth. Our certified architecture is designed for easy and flexible scalability. It allows customers to seamlessly scale their infrastructure based on their evolving needs, without encountering the limitations often faced with other vendors' solutions.

The final challenge is complex sizing and management. Traditional solutions often require extensive hardware configuration and sizing expertise, which can be a challenge for many organizations. This reliance on hardware expertise can hinder scalability and adaptability. Our architecture focuses on software and application administration, minimizing the dependence on specific hardware configurations. This simplifies deployment and ongoing management, making it more accessible to organizations with varying levels of technical expertise.

Our architecture leverages Splunk's native deployment features, including: 
Index and bucket configuration. Data is categorized into hot, warm, and cold buckets for efficient storage and retrieval. Active/passive or active/active clustering. This ensures high availability and redundancy for critical data. Resource allocation. Data, compute, and memory resources are distributed evenly across clusters for optimal performance.

For high-volume data ingestion exceeding 8 terabytes per day, we recommend deploying critical components on dedicated physical hardware rather than virtual machines. Virtualization can introduce overhead and latency, potentially impacting performance. Utilizing physical hardware for these components can help mitigate these bottlenecks and ensure optimal performance for large data volumes.

Splunk Enterprise Security provides visibility across multiple environments. IT leaders and management directors often seek a simplified monitoring tool that can handle everything. However, using a third-party tool or a monitoring tool for multiple environments comes with certain considerations. These may include software version upgrades, connector updates, or API integrations for collecting specific metrics beyond the usual ten. Therefore, the key factors for a customer choosing a monitoring solution are, how easily can the tool integrate with existing physical, virtual, microservices, or hyper-scaler environments, whether it can provide a centralized view of monitoring data across multiple environments, and whether it can integrate with existing data analytics tools like Cloudera, Starburst, or Teradata. Integrating a monitoring solution with data analytics is crucial for a complete picture. While a standalone monitoring solution can help with capacity planning, data analytics provides insights for code analysis and historical data. This allows management to plan budgets, reduce costs, and make informed decisions for the future. Combining a monitoring tool like Splunk Enterprise Security with a data analytics engine like Cloudera or Teradata maximizes the value of data and empowers better decision-making.

Our monitoring tools offer various functionalities, including detection and third-party integration. For example, we have an integration with TigerGuard, a platform for threat detection. Additionally, we provide robust auditing capabilities to track changes within the environment. This helps identify potential intrusions and suspicious activity, whether from internal or external actors. To ensure the security of our monitoring tools, we implement several prevention and protection mechanisms. This includes continuous monitoring of logs and audits, even in case of tool failure. Leading enterprise monitoring solutions often connect to dedicated audit servers via SNMP traps, providing a centralized view of all infrastructure changes. This allows administrators, like Splunk users, to easily track modifications and identify potential security risks. Furthermore, individual software products within our monitoring suite have their access control lists and security measures. These may include features like certificates, user authentication, and security manager integration. Additionally, some products offer optional plugins or add-on licenses to enhance their auditing capabilities and meet specific organizational security requirements. Security is a complex and multifaceted topic, encompassing various aspects. This includes data location, user activity monitoring, intrusion prevention, and incident recovery procedures. Addressing these concerns effectively requires a comprehensive security platform assessment that evaluates the entire system, from hardware to applications, ensuring data integrity, encryption, and overall security at every layer.

Threat intelligence management utilizes dedicated tools for both threat and incident management. These tools help organizations define their response plan in case of an event, including how to recover, what the RTO and RPO are, and how to achieve them. This ensures the organization can recover quickly and efficiently in the event of a failure, unauthorized access, or data deletion. While threat incident management strategies may vary depending on the customer, the banking sector typically undergoes rigorous threat management inspections. While I may not be a threat management expert, there are crucial security measures to consider, encompassing personnel training, hardware security, and application controls. These elements, when orchestrated harmoniously, contribute to a secure environment that minimizes the risk of breaches, facilitates successful audits, and ensures data integrity.

The effectiveness of the threat intelligence management feature depends on how the customer responds to various threats, such as ransomware or network intrusions. While the tool provides recommendations, it requires customization to align with each organization's unique categorization criteria like high, medium, low, and specific security objectives. Ultimately, the goal is to protect data, enhance security, and ensure effective incident response procedures. Deploying the threat intelligence tool necessitates customization for each customer. Default settings may not be optimal, as human intervention might be necessary to address potential software errors or inaccurate recommendations. In such cases, manual intervention might be more effective. Therefore, the tool's usefulness depends on the specific threat, its recommendations, and the organization's response approach.

Splunk Enterprise Security is a powerful tool for analyzing malicious activity and detecting breaches. However, its effectiveness depends heavily on proper configuration and skilled administration. They must be able to connect Splunk with the necessary parameters, collect logs daily, and analyze them effectively. They must also have the ability to query Splunk efficiently to gather relevant data, an understanding of use cases and how to integrate with other systems securely, customization of the environment to meet specific needs, including adding connectors and add-ons, and visualization of data in a way that is clear and actionable for both analysts and management. While Splunk is a valuable platform, it requires careful management and expertise to unlock its full potential. Companies deploying Splunk should invest in skilled administrators to ensure its effectiveness in securing their environment.

Splunk helps us detect threats faster. As a Splunk administrator, I can monitor for suspicious activity, such as sudden changes in behavior, high resource utilization on specific file shares, or unusual data transfers. These events can trigger questions, like, Why is the system experiencing high utilization, is data leaking and being transferred elsewhere, why is this application consuming excessive resources, why has data suddenly disappeared from the system? Splunk Enterprise Security provides valuable insights and helps identify potential security issues. However, integrating threat intelligence management with Splunk can further automate this process. When suspicious activity is detected, the system can automatically take predefined actions. However, these actions require customization and testing before implementation. This may involve, customer review and approval of the automated response, POC testing to validate the effectiveness of the response, regular monitoring of the system's behavior and response to threat intelligence, and fine-tuning or customization of Splunk Enterprise Security settings to optimize threat detection and response.

Splunk has been beneficial to our organization from a partnership perspective. Even after Dell's acquisition of Cisco, our strong collaboration and certified solutions continue. This partnership strengthens our position with customers seeking the best solutions on the right platform. For example, if a customer requires a Splunk solution and a competitor lacks certified solutions, it could hinder their trust and purchasing decision. In contrast, our close collaboration with Splunk and certified add-ons for Splunk Enterprise Security adds value. We possess expertise in various Splunk architectures. I've worked with over four banks in Saudi Arabia alone that utilize Splunk and Dell hardware. Globally, we cater to diverse Splunk architectures and platforms, ensuring customer satisfaction with our diverse technology expertise. While we acknowledge competition, the focus here is on how our partnership with Splunk enhances the integration experience, offering both tightly coupled and loosely coupled architectures.

Since implementing Splunk Enterprise Security, we've observed improvements in both stability and the accuracy of data visualization. The low latency allows us to efficiently query the extensive data it provides. Splunk goes beyond collecting basic metrics like CPU or memory utilization; it comprehensively gathers data from various sources, including networks, applications, and virtualization. This unified platform eliminates the need for siloed solutions and enhances the capabilities of existing engineering software. While Splunk is a popular choice for data analysis due to its powerful features, its pricing structure based on daily data ingestion can be expensive. This pricing model, however, allows them to accurately charge based on resource usage. It's important to consider your data collection and visualization needs to determine the appropriate licensing tier. While other monitoring tools might share similar pricing models, Splunk distinguishes itself through its data segregation across various components. This simplifies communication between indexes, forwarders, and searches, allowing for efficient data processing within a single platform. Additionally, Splunk excels in data visualization and analytics, making it a leading choice for security and observability solutions. Their recent top ranking in Gartner's observability category further emphasizes their strengths. This recognition stems from their platform's compatibility with diverse hardware vendors, exceptional data visualization capabilities, and innovative data segregation strategies. Splunk's tiered access control and efficient cold/frozen data storage further enhance its value proposition. Ultimately, Splunk empowers users to interact with their data effectively. This valuable asset, when properly understood and visualized, can provide actionable insights without impacting network or application performance. Moreover, Splunk's customization and implementation potential extend beyond data analysis, offering recommendations and threat intelligence for proactive security measures. In conclusion, while Splunk's pricing might initially appear expensive, its comprehensive features and capabilities justify its cost for organizations seeking advanced data analysis and security solutions.

Realizing the full benefits of Splunk Enterprise Security takes time. While the software itself can be deployed quickly, it requires historical data to function effectively. This means collecting data for some time before you can rely on it for accurate insights. Several factors contribute to the time it takes to see value. First, there is deployment and customization. Setting up Splunk involves hardware, software, and integration, which can be time-consuming, especially during the first year. The second is data collection. Building a historical data set takes time, and the initial period may not provide significant value. There is also customization and training. Tailoring reports and training users requires additional investment, potentially involving workshops and professional services. To expedite the process, Splunk offers various resources including, proof of concept which allows testing Splunk with a limited data set for a specific period. Splunk may offer temporary free licenses for small workloads to facilitate initial evaluation. Splunk provides educational resources to help customers understand and utilize the platform effectively. Additionally, some partners leverage their Splunk expertise to help customers. Partners can educate and guide customers through the process, streamlining their experience, and assist with customizing reports and training users, accelerating the value realization process. By understanding these factors and leveraging available resources, organizations can optimize their Splunk implementation and achieve its full potential within a reasonable timeframe.

Splunk has been recognized by Gartner as a leader in providing visibility for observability and monitoring across various platforms, including physical, virtual, and container environments, for several years. This has made it a popular choice for many organizations, including those in the banking industry. Currently, only one of our banks utilizes QRadar. This may be due to the cost associated with switching from Splunk, which can be expensive. As a result, the customer might be prioritizing financial considerations over functionality at this time. It's important to note that while Splunk is recognized as a leader in platform capabilities, the decision to use a specific solution should ultimately be based on both functionality and cost considerations. This is why we have established a joint engineering team with Splunk to develop a platform that meets the needs of our customers.

I'd like a dashboard that allows me to connect elements through drag-and-drop functionality. Additionally, I want the ability to view the automatically generated queries behind the scenes, including recommendations for optimization. This is just a preliminary idea, but I envision the possibility of using intelligent software to further customize my queries. For example, imagine I could train my queries to be more specific through an AI-powered interface. This would allow me to perform complex searches efficiently. For instance, an initial search might take an hour and a half, but by refining the parameters through drag-and-drop and AI suggestions, I could achieve the same result in just five minutes. Overall, I'm interested in exploring ways to customize queries for faster and more efficient data retrieval. Ideally, the dashboard would provide additional guidance and suggestions to further enhance my workflow through customization and optimization.

I have been using Splunk APM for four years.

The stability of Splunk Enterprise Security depends on how data is tiered. Splunk recommends different storage options based on data access frequency and volume. Hot and warm data: This data is accessed frequently and requires fast storage like SSD or NVMe. Cold and frozen data: This data is accessed less often and can be stored on cheaper options like Nearline, SaaS, NAS, or object storage.

Splunk prioritizes cost-effectiveness and recommends low-tier storage for cold and frozen data, which typically makes up the majority of customer data. This reduces costs compared to expensive SAN storage. However, the decision ultimately depends on the customer's budget and specific needs. Customers with limited budgets or small use cases might choose to store all data on a single platform initially and expand to dedicated cold and frozen storage later. This approach requires manual configuration changes e.g., modifying index.conf and forwarder configurations to redirect data to the new tier.

While Splunk recommends optimal tier configurations for hot, warm, cold, and frozen data, the final decision rests with the customer based on their budget and specific requirements.

Changes to storage tiers can be implemented later through configuration adjustments, but this process might be more complex than using dedicated storage from the beginning.

Overall, Splunk guides the best tier options for different data access patterns while acknowledging the customer's autonomy in making the final storage decision.

We have ambitious expansion plans. As our customer base grows, we see significant increases in data ingestion. For example, one of our largest Splunk customers has increased its daily data ingestion from two terabytes to eight terabytes in just three years. This expansion benefits both the customer and Splunk. The customer gains valuable insights from the additional data, while Splunk increases its revenue through additional license sales. However, it's important to note that expanding data ingestion requires careful consideration of hardware limitations. Increasing data volume necessitates adding more forwarders, indexes, and searches, which can impact Splunk licensing requirements. This highlights the crucial need for comprehensive planning and resource allocation during expansion initiatives. Furthermore, we have observed instances where customers unintentionally exceed their licensed data ingestion capacity. For example, one bank was ingesting six terabytes of data per day while only holding a four-terabyte license. This underscores the importance of close monitoring and proactive license management to ensure compliance and avoid potential licensing issues.

Our expertise extends beyond Splunk. We offer certified architectures for other SIEM solutions like IBM QRadar, catering to diverse customer requirements. However, IBM QRadar does not have as wide of a platform as Splunk Enterprise Security.

Splunk can be expensive, as its licensing is based on the daily data ingestion volume. While we've observed numerous implementations, most are executed remotely by Splunk itself. However, if on-site assistance from a Splunk engineer is desired, it can be costly due to travel expenses from either the Dubai office or Europe. To address this, Splunk is exploring partnerships to offer implementation services at more accessible price points.

For someone evaluating SIEM solutions and prioritizing cost, traditional marketing materials may not be the most effective approach. Customers in Saudi Arabia, like many others, often appreciate tangible demonstrations of value. Therefore, consider offering a POC to showcase Splunk's capabilities in their specific environment. Investing in the customer through various strategies can demonstrate your commitment and build trust. Granting temporary access allows them to experiment with Splunk firsthand. Provide resources and support to help them learn and utilize the platform effectively. Leverage your partner network to offer additional training and expertise. Invite key decision-makers to exclusive events or meetings with Splunk leadership, fostering a deeper connection and understanding. Remember, success often hinges on addressing specific needs. While POCs and business cases are crucial, consider potential customization requirements and existing workflows. If they've used a different tool for years, transitioning may require additional support and training due to established user familiarity. Splunk's investment in the customer journey goes beyond initial acquisition. By offering POCs, temporary licenses, training, and even exclusive experiences, you demonstrate value and commitment, ultimately fostering long-term success. Demand generation, in essence, boils down to two key aspects, Identifying their specific requirements and desired outcomes, and recognizing that different customers have varying budgets, experience levels, learning curves, expectations, and decision-making processes. While some customers may be more challenging to persuade, others readily embrace the extra mile. Enterprise clients often fall into the latter category due to their greater flexibility in resource allocation, dedicated security operations teams, and ability to invest in necessary hardware. Remember, SIEM solutions often involve hardware considerations beyond just software, so understanding these additional costs is crucial for accurate solution sizing and customer budgeting.

Several competitors to Splunk exist in the market, including IBM QRadar, AppDynamics which is used by some customers for monitoring and security, and Micro Focus used for enterprise monitoring, incident reporting, and capacity planning. While Dynatrace is a leader in the field, its presence in the banking sector, particularly in Saudi Arabia, seems limited, perhaps due to having only one certified partner acting as its distributor. In contrast, Splunk boasts a wider network of partners who actively implement and enable customers, leading to its increased market prevalence.

I would rate Splunk APM a nine out of ten.

Monitoring multiple hyperscalers with a single tool can be challenging. While some tools like VMware CloudHealth offer limited cross-platform capabilities, they often focus on specific aspects like virtual instances and storage. For comprehensive cloud monitoring across different hyperscalers like Azure and AWS, third-party solutions are typically necessary. Here at Dell, for example, we focus on monitoring tools for our own workloads and installed base, allowing integration with third-party solutions for cloud environments. This enables customers with workloads across multiple hyperscalers to leverage established enterprise monitoring tools like New Relic, AppDynamics (Cisco), Micro Focus (HP), and Splunk for unified visibility. Ultimately, choosing a solution often involves balancing operational and capital expenditures. By employing third-party tools, organizations can achieve comprehensive monitoring across various cloud environments while potentially reducing overall costs.

We offer various deployment options for Splunk to cater to diverse customer needs and regulations. We can deploy Splunk on various infrastructures, including hyper-converged, bare-metal, two-tier, and three-tier architectures. While cloud deployment is an option, regulations from the Saudi Central Bank restrict customer data storage outside the kingdom. Therefore, most of our customers in the financial sector opt for private or local cloud solutions. While a dedicated private cloud experience for Splunk isn't currently available, customers are seeking access to features like the SmartStore, a caching tier that is now bundled with the Enterprise Security license previously offered separately from version 7X onwards. The chosen deployment approach depends on factors like budget, customer expectations, performance requirements, and compatibility with Splunk's recommended sizing solutions. We utilize both internal sizing tools and Splunk's official tools to ensure proper resource allocation for indexers, search heads, and forwarders based on specific customer needs. We have deployed our Dell servers, storage, and data protection solutions. Additionally, we have implemented a reference architecture. From a hardware perspective, we have everything in place to support Splunk as a reference architecture. This is indisputable, as it reflects our current infrastructure.

I have one customer who uses Splunk on a single site. In contrast, other customers have deployed Splunk in an active-active cluster configuration across two sites, effectively segregating the data across the environments with two-factor authentication. For these other environments, I have observed that each customer has a unique monitoring perspective or performance requirement, reflected in their individual subscriptions.

Splunk is responsible for software maintenance, while we handle the hardware aspects.

Splunk Enterprise Security is one of the most mature security solutions available. While it is expensive, it offers good value by providing the necessary security measurements, monitoring, and auditing capabilities required for running an enterprise environment. 

The combined forces of Splunk and Dell create significant resilience for us. Our joint architecture, strong alignment between the Dell account team and Splunk sales and presales, and collaborative efforts have been instrumental in addressing specific customer needs, such as sizing. This collaboration is mutually beneficial: Splunk focuses on selling licenses, while Dell prioritizes hardware sales. Unlike Cloudera, which optimizes licenses for its platform, Splunk bases licensing on the ingestion rate, demonstrating its alignment with our advanced architecture. This creates a win-win situation for both companies.

On-premises

During the initial two years, I was an incident response analyst who used Splunk Enterprise Security as a SIEM tool, and in the recent two years, I work as an admin who handles the integration part, content management part, and the detection response engineering.

We use disparate security solutions with additional IDS, IPS, and EDR tools integrated into Splunk Enterprise Security for single-handled monitoring for the analyst's ease. We do not need to go to each tool separately; instead, we integrate all of them into the Splunk Enterprise Security interface, allowing us to monitor them via Splunk Enterprise Security.

Regarding Risk-Based Alerting in Splunk Enterprise Security, we used to tag alerts while creating correlation searches in Splunk Enterprise Security.

I work with both on-premise and cloud-based setups.

Splunk Enterprise Security really helps improve business resiliency as we frequently capture real attacks.

In terms of customization ability and development capability inside Splunk Enterprise Security, it is very easy. Splunk Enterprise Security is a wide tool that we can use for different purposes. Splunk Enterprise Security can be configured in many ways, not just as a SIEM, but we can leverage it in various ways. The application add-on support from Splunk is very wide, making it very easy for configuration and customization.

The functions in Splunk Enterprise Security that I find most valuable are its ability to integrate any type of logs into the system. It is very user-friendly to read logs in any languages, which we can convert into a human-readable format in Splunk Enterprise Security, making log analysis and monitoring very useful compared to competitive SIEM tools.

The main benefits Splunk Enterprise Security provides to end users include a wide view, allowing us to have different kinds of views for the logs, and we can search according to the retention period we set in Splunk Enterprise Security. This capability and storage are good enough to retrieve older data for evaluation and analysis.

I find that threat detection in Splunk Enterprise Security is a wide case; we have the opportunity to create correlation searches, dashboards, and even integrate threat intel solutions in multiple ways into Splunk Enterprise Security. We can leverage these opportunities to get alerts based on these searches.

Whenever an upgrade happens from a lower version to the latest version, some things get complicated, particularly compatibility issues, which we usually see in Splunk Enterprise Security. In those cases, it sometimes definitely requires Splunk Enterprise Security's support or vendor support to resolve those issues. Compatibility issues during upgrades are a major concern.

I am generally satisfied with the functionality of Splunk Enterprise Security, and my only concern is the compatibility issue during upgrades.

I have been working with the product for four years.

I rate Splunk Enterprise Security's stability as a nine.

I consider its scalability, ability to scale, and ability to expand to be a ten.

I would rate vendor support as a nine.

The initial setup for Splunk Enterprise Security is simple, and guides from Splunk Enterprise Security support are available on the internet, making it very basic. We can read and understand the next steps from there.

On average, the time a SecOps team takes to remediate security incidents with Splunk Enterprise Security depends on projects. If the team is working as a threat hunt team, they do not have a proper SLA, but for incident handling, some projects have 15 minutes, others 30 minutes, one hour, or in some cases, up to four hours. It varies according to the project and client requirement; incident handling is different from incident response, which usually requires more time for detailed analysis.

I am totally satisfied with Risk-Based Alerting because it works well; it works on intermediate findings. If multiple detections occur for the same host or IP, it looks for behavioral analysis and generates alerts for the analyst based on that risk, so it is actually working well in Splunk Enterprise Security.

I can recommend Splunk Enterprise Security to other users. My overall rating for this product is eight out of ten.

Hybrid Cloud

Other

I would like to discuss Enterprise Security, and I explain that the main use case for the product is to protect our customers and support various attacks.

Regarding threat detection, I explain that during investigations, most of our SOC-related customers use Splunk Enterprise Security to identify threats.

In terms of benefits, Splunk Enterprise Security provides numerous advantages to end users, notably in reducing personnel needs for SOC operations.

Regarding pricing for Splunk Enterprise Security, I find it relatively affordable globally, although it seems costly in India due to currency exchange.

In my opinion, the functions in Splunk Enterprise Security that I find most valuable include unique features and tools that the product offers.

For improvement points, I think Splunk has several enhancements on the table right now to enhance Splunk Enterprise Security with functionalities and threat detection improvements.

I have been working with Splunk Enterprise Security for seven years.

For stability, I would rate it a 10, as Splunk Enterprise Security is generally stable, especially now with its latest version.

Regarding scalability, Splunk Enterprise Security is way ahead compared to other products, and I would score it at the maximum.

I would rate Splunk Enterprise Security's technical support as a 10, as they provide 24/7 assistance based on priorities and are accessible for queries.

Positive

In comparison to other products, I think previous tools such as IBM QRadar were competitors, but currently, I hear about CrowdStrike getting into the picture.

In general, I find that the initial setup for Splunk Enterprise Security is simple, especially with clear documentation from Splunk.

It depends on the client; if they have a qualified engineer with experience in Splunk Enterprise Security, they can handle the setup themselves.

The solution is deployed both on-premises and cloud-based, depending on the customer's domain.

My feedback regarding some processes of customizing, developing, and testing in Splunk Enterprise Security is that I am thinking from a customer perspective, focusing on the customizations they require.

I have experience with risk-based alerting in Splunk Enterprise Security, as we configure based on the priority of the instance, servers, or the endpoints.

During my experience with Splunk Enterprise Security, I have faced some significant challenges, particularly with customers adapting from version 7 to version 8.

Hybrid Cloud

I deal with the Palo Alto FO and then Cortex XSIAM. I work with Cortex XSIAM and Cortex EDR products. We recently adopted Cortex XSIAM from Splunk Enterprise Security as our SIEM product for log management.

I have two to three years of experience with Splunk Enterprise Security, but not continuously; this is just a tool used by me, not daily. We send logs from the firewalls to XSIAM and analyze the traffic logs to determine whether deny or allow for migration. We use both Splunk and Cortex XSIAM for log analysis. I have never dealt with Splunk support.

I have experience with Palo Alto, Cisco, and Fortinet products. Splunk Enterprise Security is more dedicated to logs, not a unified product like Palo Alto. Palo Alto Cortex has the same UI across Cortex EDR and Cortex XSIAM, so all the product family is in one UI, whereas Splunk Enterprise Security is more focused on log search.

Palo Alto has better speed and better visibility. I can see all the M-points from one UI and search the logs from this UI. I use disparate security solutions that integrate or import data into Splunk Enterprise Security, including different log sources from the endpoint, firewall, router, switches, and everything that needs logging for visibility.

Splunk Enterprise Security can retain logs for compliance purposes longer than the usual three months. The dashboard capability also allows Splunk Enterprise Security to create dashboards based on logs, which makes it really helpful for visibility.

I feel more comfortable using XSIAM now compared to Splunk Enterprise Security. Splunk Enterprise Security is already a mature product, so I do not have much to point out. It could be a little more user-friendly, which would be nice.

It could also expand the product family beyond security log search. Since it has the capability of indexing things, perhaps Splunk Enterprise Security could develop their own EDR agent like Palo Alto and create a product family with a unified dashboard. This would definitely help the enterprise.

Splunk Enterprise Security documentation exists, but compared to Palo Alto, Palo Alto has more knowledge base articles. Even though the concepts are the same and multiple engineers have written articles for cross-reference, I do not see this level of documentation in Splunk Enterprise Security.

I have two to three years of experience with Splunk Enterprise Security, but not continuously; this is just a tool used by me, not daily.

The switch to Cortex came from management, likely because the Palo Alto product family is already in our environment. We have been using Palo Alto GlobalProtect and other security products, so bringing XSIAM into the environment makes sense.

I do not see a real difference between XSIAM and Splunk Enterprise Security; they both have a search query functionality. Splunk Enterprise Security has Splunk query language, so it is just a different language and different way of searching logs. Eventually, we get the same logs including source, destination, port, and traffic allow and deny information.

I used to be a customer with Splunk Enterprise Security. I have hands-on experience but not extensive experience with Splunk Enterprise Security products in the past. I am more focused on networking than the security team. I do not have an answer about how long on average it takes SecOps teams to remediate security incidents using Splunk Enterprise Security.

I would rate this review an 8.

I work in a SOC team where I study threat hunting and threat determination. Most of my work is based on looking for malware traffic or suspicious traffic in Splunk Enterprise Security. I belong to the SOC team.

The best feature about Splunk Enterprise Security is its clean interface and the detail it provides. It helps us manage logs with a very clean interface, which is not available in other software. 

They also provide extensive learning resources on their official site that help us while performing tasks. Its documentation and community are very strong, making it a perfect SOC tool. If we come across any problem, we can search the community or consult the documentation for solutions. 

It is very clean and detailed, helping us detect threats easily. Splunk Enterprise Security performs 80% of our work on its own; we just have to do the remaining 20%, which gives us the freedom to explore and detect threats more effectively.

The machine learning capabilities of Splunk Enterprise Security are good, but they can be improved. In a changing threat landscape, its machine learning capability can be improved in behavior-based analysis because signature-based analysis does not work very well currently.

It can improve in detecting new types of attacks or IOCs through behavior-based learning capabilities. For example, if there are malware traffics incoming, it should detect them using network logs more precisely, as most malware traffic uses the same kind of port or attack.

There should be a community program or hackathon-type events where people can develop more advanced and sophisticated machine learning models for Splunk Enterprise Security to enhance its functionality. 

Adding a chatbot similar to GitHub Copilot in Splunk Enterprise Security would be beneficial. It would help write different kinds of sophisticated queries and assist in solving problems we encounter, similar to what we have in VS Code.

There is good scope for developing Splunk Enterprise Security for low-level systems such as Raspberry Pi. However, for server deployment, a robust server is essential. Development should focus on making Splunk Enterprise Security capable of running on devices such as Raspberry Pi.

I used Splunk Enterprise for a long time in previous organizations. I have also used the Community version for my personal projects, which is available for free. I have experience with both Splunk Enterprise Security and the normal Splunk Community version. I still use Splunk Enterprise Security quite frequently when working with SOC and related processes.

Splunk Enterprise Security is highly scalable, which is why approximately 95% of the industry uses it without experiencing scalability problems. It performs exceptionally well when discussing scalability.

I do not remember contacting technical or customer support. Whenever I faced any problem, I usually consulted the documentation or community, and 99% of my problems were solved that way.

I have used Wazuh, Elasticsearch, Kibana, and some basic Linux SOC management tools such as Zeek and Wireshark as alternatives to Splunk Enterprise Security. However, I find Splunk Enterprise Security to be much more advanced than those tools, as they lack automation and machine learning capabilities, requiring customization from the user. Splunk Enterprise Security is more refined and offers a better experience.

Its deployment is difficult. I remember when I first started learning, I faced several challenges, especially when deploying VMware in a virtual environment. It was quite a difficult task. However, when deploying on a server, I would consider it to be at a medium level of difficulty. On the other hand, if you're deploying for a learning lab or something similar, it’s pretty much on the hard side.

For personal home labs, it is a one-person job, meaning a seasoned professional can handle it. For enterprise-level deployment, a person managing operations and a person handling server management is sufficient. After the initial deployment, one person is enough for a mid to low-level company, while a higher-order company requires a team to operate Splunk Enterprise Security.

Splunk Enterprise Security requires very little maintenance on my end, as it has improved significantly. If there are no frequent changes in the server, there is not much maintenance required. I have not invested much time in updates or maintenance, so once deployed, you just need a good professional to use it; maintenance is not much of a concern.

The pricing of Splunk Enterprise Security is fair for what it provides. If someone wants everything for free, it is not a reasonable expectation. Everything comes at a price, and I find it to be affordable, which is why every industry uses it. Its pricing is fair, and the community version works well for learning purposes.

I would rate Splunk Enterprise Security an eight out of ten.

On-premises

I'm an end user, admin, and consultant. We use Splunk Enterprise Security internally in our organization, and I also use it for my personal studies. My usual use cases for Splunk Enterprise Security include monitoring several kinds of exchange server logs and Office 365 logs, among others, as we have multiple monitoring use cases based on our requirements in our environment. We were trying to solve multiple things by implementing Splunk Enterprise Security, particularly for monitoring our applications based on the insurance business, so we use Splunk Enterprise Security logs for security purposes and internal infrastructure monitoring, including logs matching security purposes in our Office 365 and exchange servers.

The most valuable features of Splunk Enterprise Security are several add-ons and TAs, while the lack of a DB requirement is a significant advantage for the business, allowing easier management without needing in-depth DB knowledge. I find that Splunk Enterprise Security's ability to import data from various sources, including looking up Excel files, is quite effective, providing a good way for management.

We import data from several unique data sources into Splunk Enterprise Security, possibly more than a hundred because we have AWS and multiple servers. We have disparate security solutions that integrate data into Splunk Enterprise Security. I can still query data in Splunk Enterprise Security regardless of where it resides, and in my perspective, the query provides data quickly.

Splunk Enterprise Security has improved our organization's ability to ingest and normalize data compared to before using Splunk Enterprise Security. The unified platform helps consolidate networking, security, and IT observability tools, which is very relevant to our internal needs. Using Splunk Enterprise Security, our focus was not on reducing alert volume but on properly finding and handling alerts; we've managed to capture 100% of them effectively.

Splunk Enterprise Security provides the relevant context to help guide investigations by allowing us to share application logs and details with clients efficiently. We utilize out-of-the-box detections in Splunk Enterprise Security, and we have created dashboards that add value to our monitoring efforts. Customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is easy; it has been a good experience without significant difficulties.

We upgraded to Splunk Enterprise Security from version 8.0.4 to 9.0.6, and also from 8.1.4 to 9.0.6; it worked well with the support we received from the team, and it has proven to be very useful. Splunk Enterprise Security provides the foundation for unified threat detection, investigation, and response, enabling fast identification of critical issues.

The solution could be improved by integrating more application monitoring features and possibly incorporating AI capabilities to enhance its functionality.

I've been working with Splunk Enterprise Security for six years.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

Splunk Enterprise Security is stable and scalable, making it a good tool that is beneficial for our needs.

I participated in the deployment process of Splunk Enterprise Security, and we performed UAT before moving it to production. It's not the most affordable solution, as I've witnessed several companies considering leaving due to cost factors. The pricing of Splunk Enterprise Security is not very affordable, and I have seen many companies planning to leave because of cost concerns.

Amazon Web Services (AWS)

My use cases for Splunk Enterprise Security involve both security as well as data analytics.

Splunk Enterprise Security has helped greatly improve the organization's business resilience.

The features of Splunk Enterprise Security that I appreciate the most include the recent AI feature and the MITRE mapping feature.

AI helps in analyzing a certain detection within Splunk Enterprise Security and assists with some tasks that I might require internet or other tabs to work on, while MITRE ATT&CK helps me to map the attacks and provides coverage for my attacks.

I would appreciate improvements in the licensing aspect, especially with the SVC-based license, as there is no proper view on top of it regarding how much CPU and usage is being done on the SVC-based license, along with updates to the SOAR version.

The experience with alerts, specifically risk-based alerts, is good, but it might need some improvement as there might be some deviation or false positives, so I think implementing AI over there might increase the feasibility or view around it.

I think the pricing aspect of Splunk Enterprise Security is quite high compared to other products, which I hear from most of my customers.

I have been working with Splunk Enterprise Security for approximately 3.5 years.

I would assess the stability and reliability of Splunk Enterprise Security as very good, with not much downtime or crashes, as it depends on the hardware used and the kind of setup done, which is primarily based on misconfiguration or not predicting something.

I have not faced any significant challenges when using Splunk Enterprise Security; there is not much that I cannot solve.

Splunk Enterprise Security scales very well with the growing needs of my organization and my clients' organizations.

Expanding usage with Splunk Enterprise Security consumes time and effort, but the end result is actually good.

I would evaluate customer service and technical support as good but not very good.

On a scale of one to ten, I would rate them somewhere around seven to eight.

Positive

I would describe my experience with deploying Splunk Enterprise Security as good, pretty easy, straightforward, and with plenty of documentation.

I have not faced any challenges during the deployment aspect; even if I did, I figured it out using Splunk Community and Splunk documentation.

It does bring measurable benefits in terms of return on investment for clients; specifically, for banking or finance customers who wish to contain their data within their environments, they would definitely go for Splunk Enterprise Security compared to CrowdStrike, but less mature organizations might prefer other products.

The key differences, both pros and cons of Splunk Enterprise Security in comparison to CrowdStrike, are that I am a Splunk enthusiast and I love Splunk Enterprise Security, but CrowdStrike is good in search and detections due to its status as a threat intel partner, which offers good detections, while customization done in Splunk Enterprise Security might take too much time on CrowdStrike and there are fewer integration options with CrowdStrike.

I don't have much idea on disadvantages of Splunk Enterprise Security apart from the pricing.

I am currently working with Splunk products.

I work with Splunk Enterprise and Splunk Enterprise Security.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is pretty easy for me as an expert, but I'm not sure for a new user; being a Splunk architect, I feel it's a little easy and the customization is very helpful.

We have it integrated with various disparate solutions including RSA, CrowdStrike, AWS, Google, Microsoft, Docker, firewalls, switches, and multiple other technologies.

This integration supports my security operations by fetching logs about user activity and audit logs and actions taken by the user; for normal products, this allows me to analyze, detect, and correlate two or three different datasets to build up a use case from which I can deduce some information, and with the queries I have using SPL queries, I can get some data analytics or alerts or reports based on which I can take action.

I use risk-based alerting in Splunk Enterprise Security.

My experience with risk-based alerting, while not mainly focused on the SOC part of Splunk Enterprise Security, provides support to my engineering efforts.

I am not currently using any new threat detection features in Splunk Enterprise Security; I have no idea about that part of it.

My impressions of Splunk Enterprise Security's capability to predict, identify, and solve problems in real-time depend on what kind of data is being received and the use cases being written; it is not straightforward, but because Splunk Enterprise Security is an analytics platform without AI on top of it, it feels that some data sources are less predictable, yet for jobs that are repetitive or similar, Splunk Enterprise Security works well.

I would rate this product a 9 out of 10.

Hybrid Cloud

Other

My use case for the project is thin.

What I appreciate about Splunk Enterprise Security is creating the newest SPL for network traffic. I use the risk-based alerting feature. The risk-based alerting helps my organization by allowing me to learn more information about Splunk every day because it is a big platform.

I think that Splunk Enterprise Security is a very good platform, but the price is very high. I don't know how to explain what else can be improved in Splunk Enterprise Security aside from pricing. Support is important for improvements. My thoughts on better support include better knowledge base and better response time; it encompasses both aspects.

I moved to Splunk Enterprise Security and learned it for two to three years, but in the last year, I worked with my friends on one project.

I rate the stability as a five. I encounter issues such as downtime, bugs, glitches, and unbox errors.

Only two users use Splunk Enterprise Security.

Support is important for improvements. My thoughts on better support include better knowledge base and better response time; it encompasses both aspects. I rate support as a five.

Positive

I think it was easy to install, but this platform has many components I must learn. It took me months to deploy.

I am reviewing Splunk Enterprise Security today, and I am working on one simple product and creating simple SPL. My thoughts on customizing, developing, testing, deploying, and refining detections are focused on detection. The testing is just the last component. My thoughts on the testing feature in Splunk Enterprise Security involve the network traffic to Cisco traffic, Uniper, or low car infrastructure. I am using new threat detection features in Splunk Enterprise Security and would work on big projects in the future. I do not use disparate security solutions that integrate or import data into Splunk Enterprise Security. I am wanting to learn more because I create simple SPL, and my friends are not Splunk Enterprise Security expert admins. I would recommend Splunk Enterprise Security to other users because it is a platform for monitoring all traffic, network infrastructure, hardware, software, and everything.

I rate the solution overall as a five out of ten.

Public Cloud

Microsoft Azure

My main use cases for Splunk Enterprise Security are responding to alerts, looking for logs, and for investigations.

The features I appreciate the most about Splunk Enterprise Security are the basic search capabilities, seeing what I input into the search and what results I receive, such as the charts and their visibility. These features benefit my organization by helping with our investigations; when we receive something, we're able to quickly find its source and nature. Everything I'm seeing now in Splunk Enterprise Security is effective, especially the AI and the Attack Analyzer, which I found particularly impressive.

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is not with Splunk itself, but with our own asset management and knowing what our assets are, particularly regarding visibility.

I have been using Splunk Enterprise Security for about a year.

I have experienced maybe one downtime, crash, or performance issue.

I would describe the stability and reliability of Splunk Enterprise Security as good, with only a couple of issues that were within our own team.

Splunk Enterprise Security has been good so far in scaling with the growing needs of my organization; we haven't been growing too much to where it's a problem, but it's been performing well.

I would say we haven't seen any return on investment with Splunk Enterprise Security because we are still maturing and trying to get everything situated, and we're experiencing roadblocks with other teams not wanting to give us what we need.

Splunk Enterprise Security handles problems in real-time. 

When rating Splunk Enterprise Security overall, I'd give it a nine out of ten. I appreciate that it has a good UI that looks good and works well. I would recommend Splunk Enterprise Security.

Public Cloud