Splunk Enterprise Security Reviews

I'm part of the Splunk operations team, which means I support Splunk functionality and occasionally conduct threat management onboarding. We assist various teams with threat-related tasks. If they need help bringing log sources into Splunk, we guide them through the process. Once the logs are onboarded, we create correlations to identify threats, troubleshoot issues, and help mitigate potential risks.

We handle incidents through a queue configured in our event management system. This includes automated incidents for our Splunk infrastructure, like server health checks, and user-reported issues where functionalities like the fetch score aren't working. We address all incidents, whether automated or user-raised, through this system.

We've made significant improvements to our Splunk infrastructure to support our internal teams. This ongoing effort focuses on helping application teams onboard logs from various applications for their review and troubleshooting. We've streamlined the onboarding process, improved data quality, and ensured smooth data consumption for our internal users.

Splunk Enterprise Security offers multi-cloud environment monitoring capabilities that we can utilize for our users if they require it.

We can build a dashboard in Splunk to centralize the monitoring of critical information. This dashboard can display key metrics for onboarding methods and LogSources we actively track, providing a clear view of our entire monitoring environment.

While Splunk Enterprise Security offers good threat detection capabilities, our current process limits visibility into user activity. When users request correlations, we create the code and configure everything on our end, and then they test and work on it from theirs. This lack of transparency extends to threat management, as we can't directly see tickets in their separate ServiceNow system. If they encounter issues, they share details in a document for us to review and address.

It comes with a large collection of correlation searches, but we'll need to review them to find the ones that match our specific needs for monitoring malicious activity. Once we've identified the relevant searches, we can customize or recreate them within the correlation settings to best suit our environment.

Splunk Enterprise Security helps us detect threats faster.

Splunk Enterprise Security is a good monitoring tool that allows us to track specific details by creating custom queries. For instance, to monitor a particular organization's infrastructure, we would first onboard their logs and then create queries to capture relevant information. This way, any suspicious activity, attacks, or other events would be easily identified within the infrastructure. Additionally, Splunk's checkup operation minimizes the chance of missed alerts by automatically identifying detections, ensuring near-complete coverage of around 99 percent unless there are outages or limitations with global agents.

Splunk Enterprise Security helps us speed up our security investigations.

The customizable dashboard for our security operations is a good feature.

The most valuable features in Splunk Enterprise Security are the cluster capabilities.

The licensing price is high and has room for improvement.

I have been using Splunk Enterprise Security for four years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security can scale according to our needs.

The technical support has been successful in resolving the majority of our cases.

Positive

While the deployment process itself is simple, the number of personnel needed varies depending on the infrastructure size and user base. A small deployment for 50 users can be completed by two people, while larger deployments supporting over 500 users may require up to 15 people.

The Splunk Enterprise Security license is expensive.

I would rate Splunk Enterprise Security eight out of ten. Splunk improves user efficiency by streamlining workflows and enabling the detection of anomalies within data.

Splunk Enterprise Security is deployed across multiple locations in our organization.

To ensure our data remains secure, Splunk servers require monthly maintenance. This maintenance includes installing security patches that address vulnerabilities and prevent unauthorized access to our information.

I lead a team that does Splunk administration. We mainly worry about the platform itself, ensuring everything works, log sources are coming in, and assisting with searches. We have a dedicated security team that represents the user side, the consumers of that data. We try to get all the log sources in for them so they can create detections, alerts, dashboards, and their own custom app integrations. We support them as much as we can in the platform, and they do their security work based on that.

The biggest thing that Splunk is known for across all its platforms is aggregation. We have thousands of log sources coming in, and Splunk Enterprise Security does a great job of correlating that information and making it very searchable and usable for the end user. This is my most enjoyable feature. 

Splunk Enterprise Security is a huge value-add to us because I can confirm that our security team treats it as a normal component of their daily operations. They access Splunk Enterprise Security multiple times every single day doing their job. This proves substantial value given they need it that frequently, and considering the proportion of our contract.

Even though aggregation is one of the best features, they do poorly at integrating their own products with each other. There is Splunk Cloud, which handles searching, and there is Splunk Enterprise Security. In the backend, these are separate instances, even though the data comes from essentially the same database source. When I make changes on one platform, it may or may not affect the other side. This leaves me with uncertainty between what I'm doing in one, not knowing if it will affect the same thing on the other side. By extension, I sometimes make redundant changes already done on the other side. The discrepancy between the different search heads leaves me confused most of the time about these changes.

Their support also needs improvement.

I have been using this solution for about two years now.

For stability, I would give it an A grade. The platform generally runs exceptionally. It occasionally experiences brief interruptions, but their operations people who manage the cloud side typically have the system back up before I receive a response to my submitted ticket. They are very aware of their system's stability on the operational side.

For performance, I would give it a B grade. Some of the performance issues could be due to our own tuning that we could improve. However, Splunk is designed to handle vast amounts of data, and in my opinion, it should operate a bit faster, especially when initiating searches or processing smaller jobs. It would be helpful if these tasks could run more quickly because, once the search actually starts, it performs well. The initial parsing phase, when running a new search, can take quite a while, and I find it frustrating to have to wait during that part.

In terms of infrastructure, I cannot speak to it since it is cloud-based and operates as a black box regarding scaling. However, when it comes to handling increased data loads, Splunk Enterprise Security performs exceptionally. When we onboard new things, new log sources, or experience extra volume from heavy firewall activity, Splunk Enterprise Security processes all the data efficiently. From the time a log is generated on a system to when it reaches Splunk Enterprise Security is extremely fast. Though search time might be slightly slower than preferred, ingestion time for logs to hit the cloud is fantastic.

Both quality and speed are lacking. Quality-wise, tickets sometimes go in circles, with unnecessary complications and escalations requiring repeated explanations.

Speed is particularly problematic. I submitted a high-priority ticket for a broken login configuration to Splunk Enterprise Security, called twice, and received no response from Friday until the following Monday. After escalating to our sales team requesting immediate response for our security team's broken access, we finally received assistance, and we were able to get back on track, but I was really unhappy with the situation. It was a critical priority issue that they were not addressing appropriately. We have paid for Splunk support, and we’re not on the free tier hoping for assistance; we are a significant customer and invest a lot in this service. Given our active contract, we expect to receive better support. This area definitely needs improvement.

Neutral

I previously used AlienVault, an open source solution, but was not as deeply involved with it as I am with Splunk Enterprise Security.

The initial setup precedes my time with the company. When I started using it, it was a bit of a challenge. Splunk Enterprise Security is extensive and complex. The setup was not necessarily more difficult than regular Splunk Core since they are integrated, but the learning curve was quite steep. It took approximately six months to feel comfortable administering the full system independently.

The solution requires significant maintenance. It is very stable, but to keep things moving forward, we must do considerable work. Apps or add-ons we install require our own updates if they are not default ones offered by Splunk Enterprise Security. The baseline configuration gets upgraded automatically, which I appreciate. However, maintaining all other add-ons falls to us, which requires substantial work, especially as Splunk Enterprise Security is aggressive with their updates and minor versions. We must constantly do compatibility checks or create technical debt by staying behind versions sometimes, not knowing what features we might miss.

The pricing is very reasonable for what it offers us. Out of our entire contract, Splunk Enterprise Security represents approximately 15% of our total Splunk expenditure. Splunk Enterprise Security is a huge value add to us because our security team treats it very much as a normal component of their daily operations. They go into Splunk Enterprise Security multiple times every single day doing their job. That means that it proves a lot of value to where they need it that frequently. Given the proportion of our contract, there is a lot of value right there.

Splunk Enterprise Security has approximately seven different AI capabilities. These include natural language processing for search query assistance, machine learning for alerts and data processing, and plugins such as Tensor for external AI processing. However, I remain cautious about enabling all AI features without understanding their performance impact. 

I would rate Splunk Enterprise Security a nine out of ten.

Our primary use case is for detected malware. 

The end-to-end visibility into our environment that Splunk provides is impressive. We just need to use it better.

We are a small team. For us to look at all those logs ourselves would be difficult. There is some decent insight into what's going on. It's just a matter of actually utilizing that data and taking action on it. 

We would probably see more time savings if we used Splunk more. 

We're an on-prem network. During the installation, we found several issues that we should look into. We just need to utilize more.

Splunk has shown us some gaps where we need to ingest and normalize data, and we have built those gaps.

Splunk Enterprise Security provides us with context to help guide our investigation. It's a starting point to actually look at the logs and figure out what we need to look into. It's useful. 

It helped to consolidate networking security and IT observability tools. We use Splunk in general a lot for operations, and then we've been able to build dashboards.

I have been using Splunk Enterprise Security for two years. 

The stability is pretty good. It's fairly stable. I haven't had any issues with it so far.

Splunk support is difficult for us. There are gaps in the network. I work for a government entity so getting a classified rep to come out is difficult. 

I would rate their support a five out of ten due to their availability and talent. 

Neutral

It took what took us a while to groom all of our data correctly so that it worked well with ES. That took two weeks. As far as the finish, there's definitely room for improvement.

I would like more assistance with use cases and help with teaching us how to use it once it's installed. 

We deployed through professional services. 

We're a young team so we're still evaluating processes. We already had Splunk Core. It was already installed when I started working here. I was part of the installation team when they deployed Splunk Enterprise Security.

I would rate Splunk Enterprise Security a five out of ten because I'm still figuring it out.

We deploy Splunk for law enforcement agencies facing attacks from threat actors in China, Iran, and Pakistan. It helps plug the gaps because Splunk can easily identify malicious traffic.

In this instance, Splunk was only deployed for a specific department, not the entire ministry. However, this department has multiple cloud clusters for their operations, storage, and computing. Splunk is monitoring all of these clusters. It started as an on-premise solution, but then the department decided to go for cloud-based services that require a connector. Now, it's more of a hybrid solution.

 We face a lot of government-backed threats from India's neighbors, so threat intelligence can provide us with the information to take preemptive steps to stop the attacks. We were able to configure our network and the gateway firewalls. So that helped us overall.

We use the threat topology and MITRE ATT&CK features to compile our quarterly reports, but the leaders of the government departments are hardly concerned with these things.  They only respond to certain keywords if you highlight them. However, if you explain that something is an IOC according to the MITRE ATT&CK framework, they won't understand the jargon. They don't have the technical knowledge to comprehend MITRE ATT&CK. A private organization might have that capability. Government agencies may go for a full-fledged enterprise solution, but there are many features they don't understand or want to use. 

We still need to use manual techniques to investigate threats. Once, we had to look for devices that were infected, and we manually located the threat because the attacker had used a particular telecom handle to steal the data. In that sense, we did it manually but used Splunk to find the threat actor and the credentials used in the attack. The investigations were also quicker because we had the necessary information on hand. 

Resilience is essential, but it's something that can't fall entirely on a solution. Information security is the responsibility of every employee. While a cloud system doesn't go down easily, on-prem environments are more vulnerable.

Splunk has an excellent threat intel feed, so we can get the latest IOCs. The threat intel service enhances the threat detection capabilities because the solution is purely based on threat intel. They gather each threat intel from the dark web and the other areas of the internet. Once the integration is done, it's much more helpful than the traditional Splunk features, which may yield limited visibility. Splunk isn't purely a threat intelligence solution, but it may not have feeds at that frequency.

The threat detection capabilities are excellent, but it depends a lot on the configuration. If we can't configure the indicators of compromise correctly, then it becomes difficult for Splunk to evaluate a threat. For example, let's say a user is accelerating some data through the email gateway, and the gateway isn't being monitored. Splunk can't do anything about that because it requires a gateway monitoring system to be installed. Splunk is only aggregating the events coming in, and it cannot find the exact DLP agent. The DLP logs need to be forwarded to this Splunk connector.

The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system.  

Splunk needs to be tweaked in JSON so you can limit what is coming from the endpoints, especially the events. One needs to filter that out so that only certain events are ingested, like login failures, Active Directory changes, password reset requests, privilege modifications, etc. Each Windows machine generates about 310 KB of information per event, but we can tweak that down to about 50 KB.

I have been using Splunk for five years. 

Splunk is stable. We haven't had any downtime or performance issues. 

I rate Splunk support 10 out of 10. Splunk has lots of training materials online where our engineers can learn at their own pace. The courses are easy to understand and use simple language. You don't need to learn Java queries. The main reason we rejected QRadar was the fact that it is such a closed solution. If you want to learn something, you have to contact IBM support and request the materials. 

Positive

I have worked with ArcSight, and Palo Alto has a good SIEM solution. ArcSight's UI has some drawbacks, whereas Splunk is easier to integrate and implement. ArcSight's interface didn't impress me. I didn't like the way you have to write queries. It was a tedious solution to use, and it was not pleasing to the eyes. The charts and reporting were not visually appealing. 

ArcSight was also a costly solution, but the main reason I wanted to switch to Splunk was that it was easier to integrate. It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most. 

Splunk can be an expensive solution. It all depends on how we configure the alerts and the events from the endpoints. You can save some money if you do that correctly. If not, it becomes an expensive solution.

If you don't have the money, you can go for an open-source solution like RedELK, which is based on Elasticsearch. It's cheaper, but you have a lot of support issues. There are no security upgrades. Those are not well supported. If somebody has a basic understanding of the technology and the necessary budget, I would say stick with Splunk. Its ease of use is attractive to an engineer.

I rate Splunk Enterprise Security nine out of 10. There's always room for improvement. 

I am currently using Splunk Enterprise Security to gather various infrastructure metrics. This includes data from SQL databases, Oracle databases, applications, and APIs. All of this data is collected and sent to a Kafka stream, using a connector to feed it into Splunk. My responsibility is to analyze this data to meet observability requirements. For example, I need to visualize the data from Oracle databases and other applications to identify issues. Depending on the metrics, I aim to pinpoint servers that may be experiencing problems, such as high CPU usage, disk issues, or memory overload. By analyzing the Splunk dashboard, I can quickly identify the problematic server.

I am focused on creating a Splunk dashboard that allows users to easily identify issues at a glance. This will enable users or operations teams to promptly address any server problems. My work also involves using Excel queries and other tools to enhance this process.

I am also working on anomaly detection for one of the services we have, but that is just beginning. We have just started with the anomaly detection part where machine learning can be utilized, but it is still in POC work.

The best feature I've seen is the ability to easily change the query based on the dashboard or based on the chart we have to create, allowing any value or metric we want to add to that particular chart while keeping the rest of the dashboard settings intact. However, it's worth noting that Splunk Enterprise Security does not accommodate data from various products as Tableau does because Splunk Enterprise Security is primarily focused on infrastructure and application metrics.

Last week, while I was creating a dashboard, I encountered a feature known as cascading filters. This feature allows one filter's input to depend on another filter. For example, if you select two filters, such as Asia and Europe, the country filter should update to include the countries from both continents. However, achieving this in the dashboard was not directly possible due to certain limitations of Splunk XML, particularly in the simple dashboard I'm using. While cascading filters can be implemented in the advanced Splunk Dashboard Studio, the XML option has its constraints. I found some online resources suggesting the use of advanced JavaScript or lookup files to work around these limitations. However, relying on advanced JavaScript may not be feasible for users without experience in that area, and utilizing lookup files isn't practical at this stage of the project.

The optimization of filters, which is easily achievable in software like Tableau, is not as straightforward in Splunk XML. The client expressed a requirement for this functionality, and unfortunately, we currently need to either use lookup files, delve into advanced JavaScript or XML, or create a new dashboard using the Dashboard Studio, which is the advanced version of Splunk.

I have been working with Splunk Enterprise Security for three months since I recently joined the Wipro organization and got enrolled in this project where they utilize Splunk Enterprise Security. 

Splunk Enterprise Security was already implemented when I started working at my current company. I got onboarded to the project where they wanted data analysis skills, and they selected me because I had previous skills in Tableau for visualization purposes, and they needed someone who could visualize infrastructure metrics. They brought me into their project as a Splunk Enterprise Security observability analyst.

Splunk Enterprise Security is quite stable, and I have never experienced a breakdown with it. Sometimes, I only need to refresh the dashboard or refresh the URL from the browser, and everything resets. In terms of stability, everything we update in UAT or development reflects quickly, and I haven't encountered significant issues with the stability of Splunk Enterprise Security.

I can rate Splunk Enterprise Security a seven out of ten in terms of scalability because it is purposefully designed for logs and metrics.

I haven't had discussions with technical support for Splunk Enterprise Security as I've never needed to escalate issues. There is a separate team for Splunk Enterprise Security administration on the project, but I've had very little direct interaction with them.

I referred to documents and guides that were included in the project guidelines. Additionally, for creating dashboards, I primarily used YouTube videos as reference.

Neutral

I was a data analyst in my previous organization where I utilized Tableau, so I am familiar with its benefits and can differentiate between the capabilities of both UIs. Splunk Enterprise Security is limited to metrics, traces, and logs data, whereas Tableau can handle any kind of data. This leads to a similar brainstorming process for various visualization needs. When it comes to Tableau and the healthcare industry, we encounter different kinds of data related to aspects such as insurance, patient information, and diseases. If we look at cloud products, we find that there are various offerings associated with the cloud. The dashboards created for these products are designed based on cloud data. For example, in the automotive industry, we observe a different approach. In Splunk Enterprise Security, we tend to focus on a single type of data. In contrast, Tableau, Power BI, and other tools allow us to utilize various types of data to address different types of problems more effectively.

Splunk Enterprise Security is much more feasible as it is directly connected within the cloud servers, and whatever charts or dashboards we have to create can be easily tracked and created compared to Tableau. Some useful features from Tableau, such as cascading filters, are not available in the Splunk XML dashboards. In Splunk Enterprise Security, we use two types of dashboards: Dashboard Studio and simple XML Studio, with some limitations in the simple XML dashboard.

My team has used the risk-based alerting feature of Splunk Enterprise Security. We recently discussed the alerting system concerning particular servers that can be triggered after assessing the risk, so that particular email or any generated data, charts, or everything associated, could be directly sent to the respective POCs. It will help in prioritizing security incidents for my team because there is another team utilizing this feature, allowing people to recognize which data or server is experiencing problematic issues, which helps enhance server inspection without always referencing the dashboard. Every morning, at a selected time based on the time zone, individuals can identify which server has a problem.

I would rate Splunk Enterprise Security a six out of ten.

The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

The most valuable features include the incident review and Dashboard Studio. My job involves building dashboards, so it's easy to visualize and explain the environment using Dashboard Studio. 

Incident review with my SOC job helps me check all the incidents and alerts coming in.

Having analysts put their notes directly within the investigation feature in the incident review would be beneficial. To make notes. 

We have to go to multiple tabs for each dashboard, for each incident, or each application within Splunk, so if there is a way to consolidate all the tabs or everything into one app for that particular organization where an analyst could just click on that and everything is there. That would be a really good feature.  

I've been using Splunk for about five years now. I started at my previous job right after my master's. I was working for Santander Bank, where I used Splunk extensively for three years. I was a SOC analyst there.

Now at the current company, I've been here for about a year, so I've been using it here as well.

Cisco being Cisco, just bought Splunk. I would give it some more time to see how things go. 

Prior to Splunk's acquisition by Cisco, Splunk was really good. 

Overall, the customer service and support were very good. At times, we had difficulties reaching out for your questions but most of the time, they were answered. Due to the time constraints, we had just 100 hours working with the consultant. So some things kind of took some time with that.

Positive

When I joined this current company, they had Rapid7. It was horrendous and horrible. It was not easy to use. I'm kind of partial to Splunk because I started off with Splunk, so, we switched. 

I joined last July and asked my manager about the current solutions. He was not happy with how Rapid7 was working either. We evaluated different vendors, including Microsoft Defender and Sentinel. My preference for Splunk played a role in our decision.

We had a consultant for the integration process. They were very helpful. We had a consultant named Sayed who guided us through the process. They provided step-by-step instructions (kinda baby steps), walked us through analytics and restoring, and different aspects of Splunk. It was a really helpful experience.

It's only been about two and a half to three months. It's still fairly new to our environment. I would give it three to four more months before assessing ROI.

We evaluated Sentinel, Palo Alto, and Splunk, along with Rapid7, which was already in the environment. So, we evaluated these four options. 

Splunk gave us the opportunity to take in or put in the logs whatever we wanted and plug in different applications, whichever we wanted to have the visibility. 

We didn't have that flexibility with Palo Alto and Sentinel. We didn't have the investigation ease with the others; the investigation ease within Splunk is very easy. 

I could build an SQL query within a minute, or I could just open up different documents to have it right there. But if I go to Palo Alto, it's not there. 

Defender was quite a good competition. Like Sentinel, it was a good competition, but Splunk stopped where the investigation time was considerably less compared to Sentinel.

Overall, I would rate it a nine out of ten because we haven't integrated a lot of applications like SOAR and stuff. Once we have everything in place, it might be a ten. But right now, I would go with a nine.

Through Splunk Enterprise Security, we have implemented extensive login integration. This allows us to monitor and restrict access for sensitive accounts, such as superuser and master accounts when password rotations occur. If a login attempt is made for such an account, Splunk triggers a real-time workflow that automatically generates a P1 ticket for the Help Desk and IAM Operations teams to investigate and take necessary action.

Beyond real-time monitoring, we have established additional security measures. We utilize locks within JBOS to control manual account check-ins and user server activity, such as password verifications. Splunk ingests logs from any configured PAM solutions, enabling auditors and our technical team to readily access and analyze all privileged activities. We can also generate reports for session management, session logs, and audit logs.

Splunk Enterprise Security can enhance our organization's detection capabilities. While SIEM solutions are essential for most companies, choosing the right one is crucial. Splunk Enterprise Security is a popular option, and its benefits extend beyond technical teams. It can empower audit teams and provide visibility into user activities, including data sharing and out-of-the-box reports. Splunk's strength lies in its flexibility. It can integrate with other tools to fill any gaps in its capabilities. However, relying solely on one tool like Splunk isn't ideal. PAM tools often have built-in auditing and reporting features, but they may not offer the same level of customization or enterprise-wide visibility. This is where Splunk comes in. It provides a complementary solution, offering multiple ways to generate reports and gain insights.

We recently focused on enhancing Splunk Enterprise Security's identity correlation capabilities. This involved integrating it with several chosen applications. One key integration involved moving from Puppet to Ansible for managing privileged access management and performing virtualization tasks. Ansible allows for agentless management, meaning we don't need to install agents on every server. For broader asset management, we leverage CI/CD tools for efficient deployment across all servers. These tools significantly reduce the manual effort required.

Splunk Enterprise Security offers good visibility into multiple environments. However, certain applications in the financial sector, particularly for high-risk activities, still face regulatory or compliance restrictions that prevent them from migrating to the cloud. Despite these limitations, we see forward-thinking institutions like JPMorgan Chase taking the initiative to move lower-risk applications to the cloud. This trend extends beyond finance, with other sectors like healthcare already embracing cloud adoption.

In my assessment, Splunk Enterprise Security earns an eight out of ten for its ability to detect malicious activities and breaches, but only a seven out of ten for taking action.

Once we have an enterprise version set up, Splunk handles the initial identification steps of potential threats, saving us manual effort. I'd even rate Splunk a perfect ten for this initial phase. However, subsequent action items still require manual intervention – a bottleneck we can minimize with additional tools like endpoint security threat analytics that integrate with Splunk. This would enable complete threat modeling, including asset identification and mitigation directly within Splunk. Unfortunately, our company hasn't invested heavily in threat modeling, with a limited team compared to the larger IAM and risk groups. Thankfully, the industry is recognizing the importance of threat modeling, leading to increased hiring in this area.

Splunk Enterprise Security has significantly reduced our alert volume. This has freed up a substantial portion of the IM operations team, who were previously tasked with continuously monitoring for threats and anomalies across various applications, not just spam. By leveraging these threat detection tools, we anticipate being able to reduce IM operations staff by at least 50 percent.

Splunk Enterprise Security facilitates the acceleration of our security investigations, reducing the required time from one week to one day.

One of the features I appreciate most is privileged account threat detection. It identifies suspicious activity associated with fraudulent accounts detected on the endpoints of target systems.

Furthermore, the platform offers threat analysis and reporting that leverages Splunk data. This allows for the detection of irregular user access from machines directly. This functionality is crucial in large PAM environments with thousands of users, as it identifies inactive accounts.

For scenarios where users might not access the PAM portal to change passwords, different policies are implemented. Splunk plays a key role in detecting irregular user activity. By establishing a three-month threshold, we can identify cases where users haven't used their accounts despite not being on leave or vacation. Such instances warrant investigation to determine the continued need for privileged access.

We can automatically suspend or terminate suspicious sessions. We have also customized reporting within Splunk.

There are limitations with Splunk not detecting all user activity, especially on mainframes and network devices. This is because Splunk relies on agents, which cannot access certain workstations. In these cases, we have to rely on application data. For example, with mainframes, manual reports are generated and sent to Splunk, limiting visibility to what's manually reported. This lack of automation for specific platforms needs improvement from Splunk. Additionally, API access is limited for other applications that rely on API calls and requests. This requires heavy customization on Splunk's end. These are the main challenges we've encountered.

Monitoring multiple cloud platforms, like Azure, GCP, and AWS, with Splunk Enterprise Security presents some challenges. While Splunk provides different connectors for each provider, consolidating data from two domains across distinct cloud environments can be complex. However, leveraging pre-built templates and Splunk's data collation capabilities can help overcome these hurdles. Despite initial difficulties, I believe Splunk can effectively address this task, earning it an eight out of ten rating for its multi-cloud monitoring capabilities.

While Splunk Enterprise Security offers insider threat detection capabilities, its effectiveness could be enhanced by integrating with additional tools, such as endpoint security solutions. This integrated approach is particularly crucial for financial institutions, which often require dedicated endpoint security teams. While using multiple tools is valuable, further improvements within Splunk itself are also necessary. Considering both external integration and internal development, I would rate its current insider threat detection capabilities as three out of ten.

Threat detection is where Splunk falls behind. While it offers tools, other use cases require additional work. PAM is an enterprise tool that centralizes information about users, servers, and everything else. It needs real-time monitoring, which I haven't seen in any of the companies I've worked for. They only rely on Splunk for alerting, but real-time monitoring should be handled by the endpoint security team's tools. This means there's no detection or analysis at the machine or endpoint level. Additionally, threat analysis reporting is also absent.

I currently use Splunk Enterprise Security.

Splunk Enterprise Security's scalability and ability to handle large data volumes is great. Splunk can manage a lot of users and applications. I would rate the scalability a nine out of ten.

The technical support is a bit expensive but they respond quickly.

Positive

Splunk Enterprise Security is expensive but the solution is equipped with a lot of features.

My rating for Splunk Enterprise Security depends on the type of logs being analyzed and the company's specific environment and setup. If a company is actively comparing Splunk to competitors and their environment aligns well with Splunk's strengths, then a score of nine out of ten is justified. 

We typically suggest Splunk IT builds for customers with significant EPS requirements and large-scale data environments. While other solutions like Foundry and IBM QRadar may be popular, they often have limitations in handling big data effectively.

It offers visibility across various environments, encompassing diverse infrastructures such as multiple firewalls. Some environments are entirely cloud-based, while others follow a hybrid model with services both on-premises and in the cloud. The infrastructure setup varies depending on the organization's specific model and needs.

We are highly satisfied with the level of visibility provided by Splunk.

It offers advanced threat detection capabilities to assist organizations in uncovering unknown threats and anomalous user behaviors. Splunk is utilized for integrating various devices including firewalls and other security controls, enabling coordination of logs and the creation of use cases. Analysts investigate alerts generated by these use cases, identifying and mitigating potential threats. Additionally, Splunk provides built-in and customizable use cases to enhance security measures.

We utilize the threat intelligence management feature in Splunk, which includes the provision of IOCs. Additionally, we have third-party intelligence services integrated into Splunk, which alert us whenever any related feature is triggered.

The effectiveness of the actionable intelligence offered by the threat intelligence management feature hinges on the third-party engines integrated or enabled within it. While false positives are common and require investigation, there are instances where identified IOCs are indeed malicious. In such cases, actions like reporting or following a predefined playbook can be taken.

We leverage the Splunk Mission Control feature, and I have hands-on experience with it. Typically, I manage it through Splunk, where I create rules, reports, and dashboards. Enabling third-party intelligence and other features involves a thorough review process, particularly when onboarding new clients. Once set up, we regularly review our baseline configuration and make adjustments as needed to ensure optimal performance. The Splunk Mission Control feature aids our organization in centralizing our threat intelligence and ticketing system data management. We integrate third-party intelligence services along with our company's proprietary advisories, particularly in the retail sector. This integration enables us to maintain a comprehensive reference set within Splunk.

We utilize the Threat Topology and Mitre ATT&CK Framework features to enhance our understanding of threats. These features offer micro-mapping visibility, allowing us to align identified needs with specific techniques.

The purpose of the Mitre ATT&CK Framework is to aid in discovering and understanding the full scope of an incident. Using the micro-hypotheses, we assess whether our subcontractors are adequately covered. We evaluate our rules to determine whether we have sufficient use cases for tactics and techniques, such as initial access. This process helps us identify any gaps in coverage within the Mitre ATT&CK Framework and address them accordingly.

Splunk is a valuable service for analyzing malicious activities and detecting breaches. However, I recommend ensuring comprehensive coverage of threats by integrating all relevant devices and maximizing visibility into logs. For instance, leveraging firewall logs enables the detection of anomalies at the network level, while logs from EDR solutions can identify malicious activities on endpoints.

Splunk has significantly improved our threat detection speed. Comparatively, when working with other teams, I've found Splunk to be more efficient due to its big data capabilities, allowing for faster analysis compared to IBM QRadar and similar tools.

The primary benefits our customers experience from utilizing Splunk in their organization are significant. While Splunk may be more costly compared to other machine solutions, its effectiveness shines in handling large volumes of data, making it ideal for organizations with extensive data needs. Unlike solutions like IBM QRadar, which may struggle with processing large amounts of data efficiently, Splunk's big data capabilities enable it to excel in such scenarios.

Splunk Enterprise has effectively decreased our alert volume across various use cases. Whenever we develop a new use case, we carefully analyze it, occasionally encountering false positives. In such instances, we collaborate with IT to whitelist these cases. Over time, as we accumulate a robust whitelist, the ratio of false positives diminishes, resulting in a higher rate of true positive alerts.

It has significantly accelerated our security investigations, proving to be immensely helpful. We can efficiently track and analyze user activities with most devices integrated into the Splunk environment. The visibility provided by Splunk allows us to coordinate activities seamlessly and thoroughly investigate any detected incidents. Whether it's identifying the origin of an activity or uncovering correlations between events, Splunk enables us to piece together the entire user activity chain swiftly and effectively.

Compared to other SIEM products, I've found that Splunk offers quicker alert resolution times. Its ability to efficiently handle large data volumes contributes to this advantage. Analysts typically have predefined playbooks and investigation checklists for when alerts are triggered, which Splunk supports well. Additionally, we've customized dashboards and reports to further streamline our detection process, ultimately reducing our response time.

For those seeking cost-effective solutions, Elastic Stack stands out as a popular choice due to its single-source administration and competitive pricing. Many industries, recognizing its affordability and robust services, are swiftly adopting Elastic and other similar solutions like Wazuh.

The value of resilience in a SIEM solution varies depending on the organization's preferences and requirements. Some organizations prioritize high availability and disaster recovery capabilities, which contribute to resilience.

As an analyst, I've observed that Splunk offers a variety of rule sets, along with built-in and customizable use cases. We have the flexibility to create dashboards and expand reports for management visibility. One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities. With Splunk, we can seamlessly integrate and coordinate data from various sources, enhancing our analytical capabilities.

I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

I have been working with it for two years.

It provides good stability capabilities.

The scalability of Splunk, particularly when implemented as an enterprise solution, is notable. While we work with a limited number of clients, typically five to six, they are spread across various locations, including the US and Pakistan. From a maintenance perspective, our operations are based in Pakistan. Our clientele predominantly consists of customers from Gulf countries, and we also extend our services to clients in the US.

There have been instances where the response time from Splunk's support team has been slower in comparison to others. I find IBM QRadar and similar solutions to have more efficient support teams. I would rate it five out of ten.

Neutral

Our deployment team handles both deployment and support services, including maintenance responsibilities.

It offers a return on investment for our company.

Overall, I would rate it eight out of ten.