Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security are detections and security.

The feature I appreciate the most about Splunk Enterprise Security is Search Processing Language. These features have benefited my organization by making searching data a lot easier than other tools I've used.

Improvement for Splunk Enterprise Security is hard to address because I'm not on version 8 yet. The main thing was integrating all the different pages we have into one, which they have accomplished in version 8.1.2. I'm looking forward to using it.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as having no issues so far.

Splunk Enterprise Security appears to scale with the growing needs of my organization. We haven't expanded usage at all yet.

I would evaluate customer service and technical support as seven or eight out of ten. They're normally great. Sometimes talking through email isn't the most effective method, as they go through troubleshooting steps we've already taken, which requires additional back-and-forth communication.

I would imagine we have seen return on investment with Splunk Enterprise Security.

My advice to other organizations considering Splunk Enterprise Security is that it is definitely worth implementing, but it must be done properly. Make sure you have all preparations complete before getting the implementation package. I rate Splunk Enterprise Security eight out of ten.

My use cases mainly involve using Splunk Enterprise Security to monitor security threats, checking the dashboard for any alerts, looking at logs to see what is actually happening, and using the built-in searches to identify suspicious alerts regarding security or suspicious activity.

I appreciate the incident review dashboard as the best feature, as it makes it very easy to track alerts and manage them in one single interface.

AI in Splunk Enterprise Security improves the accuracy, and the AI feature has helped me reduce false positive alerts, which prevented me from wasting time on junk alerts and separating the noise from the actual true positive alerts. It makes my detection much more reliable.

Risk-based alerting in Splunk Enterprise Security is very helpful. Instead of getting overwhelmed by hundreds of small, low priority alerts, it gives me a risk score to users or machines based on their activity.

Using MITRE ATT&CK is really helpful. Splunk Enterprise Security automatically maps alerts to the MITRE ATT&CK framework, so when an alert triggers, I can see exactly which stage of an attack is happening, such as lateral movement, reconnaissance, or credential access tactics. This gives me a clear picture of what the attacker is trying to do.

Writing SPL queries is tough at first with Splunk Enterprise Security, and the system gets a bit slow when searching through a large amount of data.

I have been using Splunk Enterprise Security for four months overall.

I did see lagging with Splunk Enterprise Security. Even when I have a huge amount of data coming in, it doesn't crash or hang. I haven't faced any major downtime. Once the configurations are set, it runs quite reliably in the background without needing constant attention.

Splunk Enterprise Security is pretty flexible regarding scalability. Whenever our data volume grows, I can easily add more indexers or searchers to handle extra load, and it's straightforward to expand.

Other analysts contact the support team if there is any need to understand the latest updates from the Splunk community, but I haven't contacted them.

I have used an open-source Wazuh SIEM tool as an alternative. I prefer Splunk Enterprise Security more.

The initial deployment of Splunk Enterprise Security had the main challenge of connecting all our data sources like firewall and server and making sure the data was flowing correctly. It wasn't a simple click and run. It required good planning to get all the data logs showing up properly.

The pricing for Splunk Enterprise Security is a little bit high compared to other similar tools.

Splunk Enterprise Security helped me in many ways. It really helped me reduce noise. Since it groups similar alerts together, I don't have to look at every single small thing. It filters out unimportant information, so I can focus on real threats.

Maintaining Splunk Enterprise Security is necessary to keep things running smoothly. I regularly check if all the logs are coming in properly. I also spend time updating and tuning searches or reducing the false positives.

I have not upgraded to Splunk Enterprise Security 8 yet.

I haven't seen any reduction in my mean time to resolve or my mean time to detect. I would rate this review an eight overall.

I lead a team that does Splunk administration. We mainly worry about the platform itself, ensuring everything works, log sources are coming in, and assisting with searches. We have a dedicated security team that represents the user side, the consumers of that data. We try to get all the log sources in for them so they can create detections, alerts, dashboards, and their own custom app integrations. We support them as much as we can in the platform, and they do their security work based on that.

The biggest thing that Splunk is known for across all its platforms is aggregation. We have thousands of log sources coming in, and Splunk Enterprise Security does a great job of correlating that information and making it very searchable and usable for the end user. This is my most enjoyable feature. 

Splunk Enterprise Security is a huge value-add to us because I can confirm that our security team treats it as a normal component of their daily operations. They access Splunk Enterprise Security multiple times every single day doing their job. This proves substantial value given they need it that frequently, and considering the proportion of our contract.

Even though aggregation is one of the best features, they do poorly at integrating their own products with each other. There is Splunk Cloud, which handles searching, and there is Splunk Enterprise Security. In the backend, these are separate instances, even though the data comes from essentially the same database source. When I make changes on one platform, it may or may not affect the other side. This leaves me with uncertainty between what I'm doing in one, not knowing if it will affect the same thing on the other side. By extension, I sometimes make redundant changes already done on the other side. The discrepancy between the different search heads leaves me confused most of the time about these changes.

Their support also needs improvement.

I have been using this solution for about two years now.

For stability, I would give it an A grade. The platform generally runs exceptionally. It occasionally experiences brief interruptions, but their operations people who manage the cloud side typically have the system back up before I receive a response to my submitted ticket. They are very aware of their system's stability on the operational side.

For performance, I would give it a B grade. Some of the performance issues could be due to our own tuning that we could improve. However, Splunk is designed to handle vast amounts of data, and in my opinion, it should operate a bit faster, especially when initiating searches or processing smaller jobs. It would be helpful if these tasks could run more quickly because, once the search actually starts, it performs well. The initial parsing phase, when running a new search, can take quite a while, and I find it frustrating to have to wait during that part.

In terms of infrastructure, I cannot speak to it since it is cloud-based and operates as a black box regarding scaling. However, when it comes to handling increased data loads, Splunk Enterprise Security performs exceptionally. When we onboard new things, new log sources, or experience extra volume from heavy firewall activity, Splunk Enterprise Security processes all the data efficiently. From the time a log is generated on a system to when it reaches Splunk Enterprise Security is extremely fast. Though search time might be slightly slower than preferred, ingestion time for logs to hit the cloud is fantastic.

Both quality and speed are lacking. Quality-wise, tickets sometimes go in circles, with unnecessary complications and escalations requiring repeated explanations.

Speed is particularly problematic. I submitted a high-priority ticket for a broken login configuration to Splunk Enterprise Security, called twice, and received no response from Friday until the following Monday. After escalating to our sales team requesting immediate response for our security team's broken access, we finally received assistance, and we were able to get back on track, but I was really unhappy with the situation. It was a critical priority issue that they were not addressing appropriately. We have paid for Splunk support, and we’re not on the free tier hoping for assistance; we are a significant customer and invest a lot in this service. Given our active contract, we expect to receive better support. This area definitely needs improvement.

Neutral

I previously used AlienVault, an open source solution, but was not as deeply involved with it as I am with Splunk Enterprise Security.

The initial setup precedes my time with the company. When I started using it, it was a bit of a challenge. Splunk Enterprise Security is extensive and complex. The setup was not necessarily more difficult than regular Splunk Core since they are integrated, but the learning curve was quite steep. It took approximately six months to feel comfortable administering the full system independently.

The solution requires significant maintenance. It is very stable, but to keep things moving forward, we must do considerable work. Apps or add-ons we install require our own updates if they are not default ones offered by Splunk Enterprise Security. The baseline configuration gets upgraded automatically, which I appreciate. However, maintaining all other add-ons falls to us, which requires substantial work, especially as Splunk Enterprise Security is aggressive with their updates and minor versions. We must constantly do compatibility checks or create technical debt by staying behind versions sometimes, not knowing what features we might miss.

The pricing is very reasonable for what it offers us. Out of our entire contract, Splunk Enterprise Security represents approximately 15% of our total Splunk expenditure. Splunk Enterprise Security is a huge value add to us because our security team treats it very much as a normal component of their daily operations. They go into Splunk Enterprise Security multiple times every single day doing their job. That means that it proves a lot of value to where they need it that frequently. Given the proportion of our contract, there is a lot of value right there.

Splunk Enterprise Security has approximately seven different AI capabilities. These include natural language processing for search query assistance, machine learning for alerts and data processing, and plugins such as Tensor for external AI processing. However, I remain cautious about enabling all AI features without understanding their performance impact. 

I would rate Splunk Enterprise Security a nine out of ten.

We primarily used Splunk Enterprise Security for data and cloud ingestion. We also leveraged it for enterprise security use case engineering, which encompassed malware analysis, threat management, detection, and the integration of threat and vulnerability intelligence, culminating in comprehensive reporting and dashboards. This was the principal use case for our SIEM platform. In recent years, we have also employed Splunk for user behaviour analytics to bolster insider threat protection.

We implemented Splunk Enterprise Security to improve security monitoring, threat detection, and incident response.

Although Splunk is not the only tool we use, it is essential that it provides end-to-end visibility into threats in our environment.

Splunk is effective for helping find security events across multiple cloud, on-premises, or hybrid environments.

Splunk helps improve our organization's ability to ingest and normalize data.

Splunk helps us identify threats in real-time.

We integrated 50 percent of the MITRE ATT&CK framework's techniques to enhance our incident detection capabilities.

Splunk Enterprise Security effectively analyzes various security events and has helped improve my organization's ability to ingest and normalize data.

Splunk helped us detect threats faster. 

Splunk Enterprise Security reduced the investigation time by consolidating datasets for quick access.

Splunk Enterprise Security enhances business resilience and assists with threat detection by centralizing security data.

I have a positive impression of Splunk's ability to predict, identify, and solve problems.

Splunk Enterprise Security helps reduce our mean time to resolve.

The Splunk Enterprise Security's threat-hunting capabilities have been particularly useful in later releases.

Splunk Enterprise Security would benefit from a more robust rule engine to reduce false positives. While its detection capabilities are efficient, there is room to improve its alert volume reduction and false positive management efficiency. Furthermore, enhancements in its integration capabilities with other security infrastructures could optimize its overall effectiveness.

I have been using Splunk Enterprise Security for 13 years.

In terms of stability, Splunk is good. It provides a stable environment but needs to integrate with ITSM platforms to achieve better visibility.

Splunk Enterprise Security is efficient and scalable, especially for large environments with substantial scalability needs.

The technical support for Splunk met my expectations.

Positive

I haven't switched to Splunk from another solution, but I have used various products, such as Google Chronicle, Securonix, ExtraHop, and Sumo Logic, to meet different customer needs. Securonix is used more for behavioural analytics and insider threats, whereas Splunk is used for logging and monitoring.

The initial setup of Splunk Enterprise Security is straightforward, but it does require skilled personnel.

The implementation involved an architect, cloud DevOps engineer, data engineer, full-stack developers, and cybersecurity engineers. A team of five to six members, tailored to different roles, was typical.

Splunk's cost is justified for large environments with extensive assets. However, for smaller organizations, other products may provide better value for money.

Splunk is priced higher than other solutions.

I would rate Splunk Enterprise Security nine out of ten.

Splunk Enterprise Security requires continuous maintenance and support, which requires a dedicated team. Previously, seven to eight personnel were focused on platform maintenance. Additional resources may be required to optimize for multiple customer environments. 

For those evaluating SIEM solutions solely based on cost, Splunk might not be suitable. It is essential to consider security, context, and specific use cases rather than just choosing based on price. Critical assets need the right platform for effective protection rather than opting for a cheaper solution.

We use it for real-time monitoring and alerts for all instances and servers on our sub-prod instances. It helps in monitoring, getting alerts for specific errors, and identifying various logs. We also use it for log analysis, which is very beneficial.

My use case is more related to production issues. Threat detection is taken care of by another team.

It is our go-to tool for monitoring multiple cloud environments. The difficult part initially is to understand how the logging is happening for particular applications or instances. Once you have an understanding of what you want to see and how they are getting generated, you can just write queries, and you can create exhaustive dashboards for anybody to look at and understand how things are.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. Its threat detection capabilities are good. We can look at the exact activity and task. We can look at a trace and understand what is happening. It gives a very granular understanding. I see emails from the security team mentioning what they have identified, so it seems to be helpful for threat detection.

Based on the org mail that we received, they were able to block almost 95% of threats in real time. That is a pretty good number.

Splunk Enterprise Security helps to reduce alert volume because you can understand patterns, such as where your requests are going and how everything is happening. There has been a 40% to 50% reduction.

Splunk Enterprise Security has helped speed up our security investigations by 40% to 50%. It has helped the security team to get a head start and understand where the issue is originating and where the problem is. We are operating in a very dynamic environment, so any time lost costs the company money.

I can create dashboards to collect and view information in a tabular, graphical format. This feature is important because it helps me understand time-series data over one or two hours. It creates graphs, allowing us to check spikes and examine average values and 90th and 95th percentile values. This capability is useful for performance monitoring and issue identification. I believe it has helped speed up security investigations.

Data retention can be better. If we want to look at the data for five months or six months, that is not available to us. We only have a history of 20 or 30 days. After that, the information gets lost. That is a drawback. 

Splunk's dashboards are pretty basic. In comparison to Grafana, the dashboards are not as detailed. There is room for improvement in that area.

I have been using it for about one and a half years now.

It is stable. I have not encountered any stability issues so far.

It is easy to scale. We have multiple instances, sub-instances, and prod instances running, so scalability is not a problem.

It is being used by development teams, QA teams, performance teams, and security teams. We have about 500 people using it.

It is good. I have not had any major issues where support was lacking, so I would rate it positively.

Positive

In this organization, I did not use any similar solution. In my previous organization, we used APM tools like Dynatrace and AppDynamics, which helped us monitor real-time data and performance. Splunk is a similar tool but offers more capabilities and is also cost-effective.

It was an organizational decision to go with Splunk Enterprise Security. It involved financial considerations and the kind of deal Splunk provided, as we are using the enterprise version and another version. Economics, capabilities, and support were factors.

I was not involved in its deployment. When it comes to maintenance, another team looks after it and takes care of maintenance.

I have not been involved in the finance part, so I cannot comment on ROI or costs. However, preventing incidents or solving performance issues saves money, converting time saved to money. Customers are happy. Employees are happy. There is less downtime.

I am not aware of the costs; that is handled by a separate team. I only use it for logs and performance issues.

Instead of going for the cheapest solution available, you should go for the one that meets your needs. It takes time for an organization to onboard a new solution, so it is important to choose the right solution from the start. I believe all available solutions are pretty good, so you should see what suits you better.

It is a great tool. If you learn to navigate it, you can access a wide range of information about any application or product. It is a very helpful tool, provided you know how to use it. 

Overall, I would rate it a nine out of ten.

I am currently using Splunk Enterprise Security to gather various infrastructure metrics. This includes data from SQL databases, Oracle databases, applications, and APIs. All of this data is collected and sent to a Kafka stream, using a connector to feed it into Splunk. My responsibility is to analyze this data to meet observability requirements. For example, I need to visualize the data from Oracle databases and other applications to identify issues. Depending on the metrics, I aim to pinpoint servers that may be experiencing problems, such as high CPU usage, disk issues, or memory overload. By analyzing the Splunk dashboard, I can quickly identify the problematic server.

I am focused on creating a Splunk dashboard that allows users to easily identify issues at a glance. This will enable users or operations teams to promptly address any server problems. My work also involves using Excel queries and other tools to enhance this process.

I am also working on anomaly detection for one of the services we have, but that is just beginning. We have just started with the anomaly detection part where machine learning can be utilized, but it is still in POC work.

The best feature I've seen is the ability to easily change the query based on the dashboard or based on the chart we have to create, allowing any value or metric we want to add to that particular chart while keeping the rest of the dashboard settings intact. However, it's worth noting that Splunk Enterprise Security does not accommodate data from various products as Tableau does because Splunk Enterprise Security is primarily focused on infrastructure and application metrics.

Last week, while I was creating a dashboard, I encountered a feature known as cascading filters. This feature allows one filter's input to depend on another filter. For example, if you select two filters, such as Asia and Europe, the country filter should update to include the countries from both continents. However, achieving this in the dashboard was not directly possible due to certain limitations of Splunk XML, particularly in the simple dashboard I'm using. While cascading filters can be implemented in the advanced Splunk Dashboard Studio, the XML option has its constraints. I found some online resources suggesting the use of advanced JavaScript or lookup files to work around these limitations. However, relying on advanced JavaScript may not be feasible for users without experience in that area, and utilizing lookup files isn't practical at this stage of the project.

The optimization of filters, which is easily achievable in software like Tableau, is not as straightforward in Splunk XML. The client expressed a requirement for this functionality, and unfortunately, we currently need to either use lookup files, delve into advanced JavaScript or XML, or create a new dashboard using the Dashboard Studio, which is the advanced version of Splunk.

I have been working with Splunk Enterprise Security for three months since I recently joined the Wipro organization and got enrolled in this project where they utilize Splunk Enterprise Security. 

Splunk Enterprise Security was already implemented when I started working at my current company. I got onboarded to the project where they wanted data analysis skills, and they selected me because I had previous skills in Tableau for visualization purposes, and they needed someone who could visualize infrastructure metrics. They brought me into their project as a Splunk Enterprise Security observability analyst.

Splunk Enterprise Security is quite stable, and I have never experienced a breakdown with it. Sometimes, I only need to refresh the dashboard or refresh the URL from the browser, and everything resets. In terms of stability, everything we update in UAT or development reflects quickly, and I haven't encountered significant issues with the stability of Splunk Enterprise Security.

I can rate Splunk Enterprise Security a seven out of ten in terms of scalability because it is purposefully designed for logs and metrics.

I haven't had discussions with technical support for Splunk Enterprise Security as I've never needed to escalate issues. There is a separate team for Splunk Enterprise Security administration on the project, but I've had very little direct interaction with them.

I referred to documents and guides that were included in the project guidelines. Additionally, for creating dashboards, I primarily used YouTube videos as reference.

Neutral

I was a data analyst in my previous organization where I utilized Tableau, so I am familiar with its benefits and can differentiate between the capabilities of both UIs. Splunk Enterprise Security is limited to metrics, traces, and logs data, whereas Tableau can handle any kind of data. This leads to a similar brainstorming process for various visualization needs. When it comes to Tableau and the healthcare industry, we encounter different kinds of data related to aspects such as insurance, patient information, and diseases. If we look at cloud products, we find that there are various offerings associated with the cloud. The dashboards created for these products are designed based on cloud data. For example, in the automotive industry, we observe a different approach. In Splunk Enterprise Security, we tend to focus on a single type of data. In contrast, Tableau, Power BI, and other tools allow us to utilize various types of data to address different types of problems more effectively.

Splunk Enterprise Security is much more feasible as it is directly connected within the cloud servers, and whatever charts or dashboards we have to create can be easily tracked and created compared to Tableau. Some useful features from Tableau, such as cascading filters, are not available in the Splunk XML dashboards. In Splunk Enterprise Security, we use two types of dashboards: Dashboard Studio and simple XML Studio, with some limitations in the simple XML dashboard.

My team has used the risk-based alerting feature of Splunk Enterprise Security. We recently discussed the alerting system concerning particular servers that can be triggered after assessing the risk, so that particular email or any generated data, charts, or everything associated, could be directly sent to the respective POCs. It will help in prioritizing security incidents for my team because there is another team utilizing this feature, allowing people to recognize which data or server is experiencing problematic issues, which helps enhance server inspection without always referencing the dashboard. Every morning, at a selected time based on the time zone, individuals can identify which server has a problem.

I would rate Splunk Enterprise Security a six out of ten.

There are a thousand use cases covered. Splunk Enterprise Security covers the MITRE ATT&CK framework for initial access, remote executions with malicious codes, and many other attack vectors. All use cases are covered by MITRE ATT&CK, including initial access, executions, discovery, and credential access.

When I compare it to different SIEM solutions, Splunk Enterprise Security has incident management and a threat intelligence component that is native and not limited the way different SIEM solutions are. It also has scoring features, including user scoring and correlations that the normal Splunk Enterprise doesn't have. In Enterprise, you have detection mapping to the MITRE ATT&CK framework. The GUI is very easy to use, and by using SPL, you can find or mine data easily. You can create custom dashboards. These are many benefits when compared with IBM QRadar or FortiSIEM for on-premises SIEM solutions.

However, this solution is for enterprise companies, not for small or medium businesses. Splunk Enterprise Security has many integrations and connectors that are easy to use when compared with IBM QRadar or normal Splunk Enterprise.

The price is a significant concern. It is expensive and is designed for enterprise companies, not for small or medium-sized companies.

Another area for improvement is the machine learning capabilities. There is no native AI or machine learning in Splunk when compared with different SIEM solutions. While it is there, it requires manual setup.

I have been working with Splunk for two years.

There are no stability challenges. Even when creating a report, incident, or dashboard, or when parsing data, everything functions very smoothly. There are no challenges that I have observed.

It is easy to scale. You can deploy it in containers or directly on-premises. It can also be used in the cloud. However, for distribution, you need some experience if you are running indexers and search heads. If you install it as an all-in-one solution, it is fine, and anyone can install it.

The customer service is helpful. Even if you face something that does not have a direct solution, you can create a workaround. Issues are resolved on time.

I deployed QRadar and Wazuh before.

The initial setup does not take too much time. It can be completed quickly when compared with another product. The setup takes approximately 80 minutes.

We are an MSSP, and we perform POCs or production implementations and recommendations for some customers. We are also a partner with Splunk. I am working with Cisco, and Cisco is a partner with Splunk.

For ROI measurement, I integrated Splunk with FortiSOAR. In FortiSOAR, I can calculate the ROI and the time for closing alerts. However, I have not tried this within Splunk itself.

For threat detection, I integrated Splunk with MDE and Falcon. For normal threat detection, you can enable threat feeds from MISP or SOCRadar to create rules and check if events have any malicious IOCs to trigger alerts.

FortiSOAR and XSOAR are also alternative solutions.

Even if you face something that does not have a direct solution, you can create a workaround. Issues are resolved on time. Splunk uses a very customizable SPL language. You can search easily, and for me, it is better than EQL in Sentinel or IBM QRadar. I would rate this product a 10.

I have created various correlation searches to develop use cases for detecting security threats. For example, I have created use cases to identify brute force attacks, unauthorized access, denial of service attacks, and distributed denial of service attacks. To date, I have developed a total of 190 use cases for our environment using Splunk Enterprise Security.

The end-to-end visibility provided by Splunk Enterprise Security is crucial. Its user-friendly interface makes it easy to navigate and configure. The intuitive options allow for simple customization, enabling users to easily select and configure settings. This feature, combined with the excellent support from the Splunk team, makes it a valuable tool for addressing enterprise security issues and creating or modifying use cases.

Splunk's website provides a variety of simple commands for identifying security events. These commands and pre-built security fields make it easy to detect real-time attacks, monitor environments, and identify security threats. Splunk offers a more straightforward and efficient approach than other monitoring tools.

Splunk automatically ingests and normalizes data, eliminating the need for human intervention. When data is ingested, it is automatically converted into index-friendly formats within most source pipes.

The MITRE ATT&CK framework is a valuable tool for security teams, and its integration with Splunk Enterprise Security offers significant benefits. By mapping specific MITRE ATT&CK tactics to Splunk use cases, analysts can quickly identify the root cause of security incidents and access relevant information for remediation. For example, if a brute force attack occurs, an analyst reviewing the incident can quickly determine the corresponding MITRE ATT&CK tactic and access detailed information about the attack, including potential solutions, mitigation strategies, and potential future actions. This seamless integration between MITRE ATT&CK and Splunk empowers security teams to respond to threats more effectively and efficiently.

Splunk has significantly enhanced my business resilience and problem-solving capabilities. Due to the urgency of different issues, there are four types of Splunk support cases: P1, P2, P3, and P4. P1 cases are incredibly critical and require immediate attention. If a business-critical issue arises, I can open a P1 case, and the Splunk support team will respond within 15 minutes. This rapid response has enabled me to resolve critical issues promptly. For P2 cases, the support team typically connects within two to three hours. P3 cases receive a response within 24 hours. Overall, the Splunk support team consistently resolves issues efficiently.

After deploying the use case, we immediately observed the benefits of Splunk Enterprise Security. We can instantly monitor enterprise security use cases in our environment without delay. However, as a precautionary measure, we deploy use cases and monitor them for seven days. If the use case does not generate excessive noise within this period, we deploy it to the final environment. Otherwise, we refrain from deployment. Splunk's capability allows us to deploy use cases within seconds.

Splunk helps me consolidate all the data, such as networking and cyber security data. If there are other types, such as behaviour analysis, we can perform them with the help of Splunk. But I'm mainly in the cyber security field, so I am more concerned with Splunk for cyber security data only. For example, in my PhD, I created my thesis based on medical performance monitoring. I monitor the performance health condition of one million people with the help of Splunk. So, this is not a cybersecurity use case I'm creating there. I monitor the health condition with the help of a Splunk Enterprise. If a health condition is significant, the alert immediately goes to the doctor, physician, and their relative.

My alert volume has decreased significantly. Splunk is a machine that generates alerts based on specific use cases or service queries. Before implementing a new use case or alert, we must analyze how many alerts it will trigger. If it generates fewer than one alert per day, it's acceptable. However, I will only deploy it if it generates one daily alert. This approach allows me to reduce the alert volume effectively using Splunk Enterprise Security.

Splunk streamlined my security investigations by consolidating logs into a single repository. The Splunk community provided invaluable assistance, enabling me to quickly find answers to my security-related questions and address concerns promptly. By leveraging the collective knowledge of the global community, I expedited my security processes and enhanced overall security measures.

Splunk reduces the mean time to resolve because it enables L1 SOC analysts to view relevant data in the power role field directly. For example, when a brute force attack alert triggers, analysts can easily see the source IP, time of the alert, user, destination IP, and other critical fields. This immediate access to information allows for swift preventive measures, countermeasures, and efficient resolution of cybersecurity issues. Splunk's clear and intuitive interface empowers even junior analysts with only one year of experience to effectively apply their knowledge and address security challenges.

The two features I like most in Splunk Enterprise Security are the content management system and the inter-incident review dashboard. The incident review dashboard allows us to directly view significant events triggered by the use cases I've configured within the content management system.

I suggest that Splunk provide the same resources on its platform, as on other websites through Google. For instance, they could offer pre-built search queries for everyday use cases like brute force attacks, DDoS attacks, and other security threats. These queries would be generated based on my specific data, saving me the time and effort of creating them manually. This would be incredibly beneficial and align with the AI capabilities already present in Splunk Enterprise Security.

I have been using Splunk Enterprise Security for eight years.

In the eight years I have used Splunk Enterprise Security, I have experienced no stability issues. There has been no downtime or crashing. The only problems I have encountered were temporary interruptions in some features, lasting approximately 15 minutes.

Splunk Enterprise Security is highly scalable. For example, I currently have one terabyte of data to deploy, and tomorrow, I need to deploy ten terabytes. In that case, the system can easily accommodate the increased load without compromising performance. It is extremely fast and efficient, ensuring no issues even as the input data volume grows. The system adjusts quickly to meet the demands of expanding data requirements.

I have contacted Splunk technical support three times in the past fifteen days due to various issues encountered while using Splunk. Each time I reached out, they responded promptly and assisted me in resolving the problems.

Positive

I have used several alternatives to Splunk, such as AppDynamics, Dynatrace, and Oracle Enterprise Manager. However, I have found Splunk Enterprise and Splunk Enterprise Security the most effective tools for my needs. These platforms are easy to use, allowing for flexible parameter customization and dynamic adjustments to meet specific requirements.

The initial deployment of Splunk Enterprise Security was straightforward due to my prior experience learning and using various tools. I found it to be significantly easier to implement than similar software.

I set up my lab independently, being new to the environment at the time and eager to learn. I visited the Splunk website and discovered the free courses they offer. Using these courses, I successfully configured my lab. Splunk provides valuable assistance for setting up personal labs and offers a 60-day trial version. This version allows for direct log setup and hands-on practice of Splunk skills without cost.

Splunk Enterprise Security's pricing is competitive. For instance, the cost typically increases proportionally with the daily license volume. For example, purchasing a 100 GB license per day is less expensive than buying one GB per day. A discount is offered for larger volume purchases.

I would rate Splunk Enterprise Security eight out of ten.

The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

The most valuable features include the incident review and Dashboard Studio. My job involves building dashboards, so it's easy to visualize and explain the environment using Dashboard Studio. 

Incident review with my SOC job helps me check all the incidents and alerts coming in.

Having analysts put their notes directly within the investigation feature in the incident review would be beneficial. To make notes. 

We have to go to multiple tabs for each dashboard, for each incident, or each application within Splunk, so if there is a way to consolidate all the tabs or everything into one app for that particular organization where an analyst could just click on that and everything is there. That would be a really good feature.  

I've been using Splunk for about five years now. I started at my previous job right after my master's. I was working for Santander Bank, where I used Splunk extensively for three years. I was a SOC analyst there.

Now at the current company, I've been here for about a year, so I've been using it here as well.

Cisco being Cisco, just bought Splunk. I would give it some more time to see how things go. 

Prior to Splunk's acquisition by Cisco, Splunk was really good. 

Overall, the customer service and support were very good. At times, we had difficulties reaching out for your questions but most of the time, they were answered. Due to the time constraints, we had just 100 hours working with the consultant. So some things kind of took some time with that.

Positive

When I joined this current company, they had Rapid7. It was horrendous and horrible. It was not easy to use. I'm kind of partial to Splunk because I started off with Splunk, so, we switched. 

I joined last July and asked my manager about the current solutions. He was not happy with how Rapid7 was working either. We evaluated different vendors, including Microsoft Defender and Sentinel. My preference for Splunk played a role in our decision.

We had a consultant for the integration process. They were very helpful. We had a consultant named Sayed who guided us through the process. They provided step-by-step instructions (kinda baby steps), walked us through analytics and restoring, and different aspects of Splunk. It was a really helpful experience.

It's only been about two and a half to three months. It's still fairly new to our environment. I would give it three to four more months before assessing ROI.

We evaluated Sentinel, Palo Alto, and Splunk, along with Rapid7, which was already in the environment. So, we evaluated these four options. 

Splunk gave us the opportunity to take in or put in the logs whatever we wanted and plug in different applications, whichever we wanted to have the visibility. 

We didn't have that flexibility with Palo Alto and Sentinel. We didn't have the investigation ease with the others; the investigation ease within Splunk is very easy. 

I could build an SQL query within a minute, or I could just open up different documents to have it right there. But if I go to Palo Alto, it's not there. 

Defender was quite a good competition. Like Sentinel, it was a good competition, but Splunk stopped where the investigation time was considerably less compared to Sentinel.

Overall, I would rate it a nine out of ten because we haven't integrated a lot of applications like SOAR and stuff. Once we have everything in place, it might be a ten. But right now, I would go with a nine.

I use other types of security solutions that integrate or import data into Splunk Enterprise Security, such as EDRs, firewalls, and other security products. The integration supports my security operations by providing one clear view of threat detections from firewalls and imported data.

The features of Splunk Enterprise Security that I appreciate the most are out-of-the-box detections. These features have benefited my organization because it's a product we sell, and we sell detecting threats in the organization.The features have benefited the organizations I sell to because without them a lot would have been self-programmed, and they support us in very different ways.

It's difficult to answer how Splunk Enterprise Security can be improved because I'm hearing AI mentioned frequently in the keynote. It's definitely out there and it's improving the whole process. I think that a lot of effort is going into the realization of AI, but some effort is left out because they don't always mention that the outcome has to always be verified. You just say, 'Ask AI to narrow down the threats, show me how to write an email, summarize it up,' but the additional process that comes with it is verifying it all. Maybe question it, and sometimes it's wrong and you have to start over. I think improving it would be either having different AI responses to cover more, or always having to verify the user, not relying on an answer.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are not in the product; they're in the human aspect. Writing the query and knowing what to search for is not a product problem.

I have been using Splunk Enterprise Security for two years.

I would evaluate customer service and technical support for Splunk Enterprise Security as good on a scale of one to 10.

Positive

My experience with pricing, setup cost, and licensing is that it's expensive.

I think the value of Splunk Enterprise Security is there, but it is one of the most expensive solutions on the market.

My organization uses risk-based alerting in Splunk Enterprise Security, which supports our SOC by negating through false positives. On a scale of one to 10, I would rate Splunk Enterprise Security an eight.