Splunk Enterprise Security Reviews

My use cases for Splunk Enterprise Security involve both security as well as data analytics.

Splunk Enterprise Security has helped greatly improve the organization's business resilience.

The features of Splunk Enterprise Security that I appreciate the most include the recent AI feature and the MITRE mapping feature.

AI helps in analyzing a certain detection within Splunk Enterprise Security and assists with some tasks that I might require internet or other tabs to work on, while MITRE ATT&CK helps me to map the attacks and provides coverage for my attacks.

I would appreciate improvements in the licensing aspect, especially with the SVC-based license, as there is no proper view on top of it regarding how much CPU and usage is being done on the SVC-based license, along with updates to the SOAR version.

The experience with alerts, specifically risk-based alerts, is good, but it might need some improvement as there might be some deviation or false positives, so I think implementing AI over there might increase the feasibility or view around it.

I think the pricing aspect of Splunk Enterprise Security is quite high compared to other products, which I hear from most of my customers.

I have been working with Splunk Enterprise Security for approximately 3.5 years.

I would assess the stability and reliability of Splunk Enterprise Security as very good, with not much downtime or crashes, as it depends on the hardware used and the kind of setup done, which is primarily based on misconfiguration or not predicting something.

I have not faced any significant challenges when using Splunk Enterprise Security; there is not much that I cannot solve.

Splunk Enterprise Security scales very well with the growing needs of my organization and my clients' organizations.

Expanding usage with Splunk Enterprise Security consumes time and effort, but the end result is actually good.

I would evaluate customer service and technical support as good but not very good.

On a scale of one to ten, I would rate them somewhere around seven to eight.

I would describe my experience with deploying Splunk Enterprise Security as good, pretty easy, straightforward, and with plenty of documentation.

I have not faced any challenges during the deployment aspect; even if I did, I figured it out using Splunk Community and Splunk documentation.

It does bring measurable benefits in terms of return on investment for clients; specifically, for banking or finance customers who wish to contain their data within their environments, they would definitely go for Splunk Enterprise Security compared to CrowdStrike, but less mature organizations might prefer other products.

The key differences, both pros and cons of Splunk Enterprise Security in comparison to CrowdStrike, are that I am a Splunk enthusiast and I love Splunk Enterprise Security, but CrowdStrike is good in search and detections due to its status as a threat intel partner, which offers good detections, while customization done in Splunk Enterprise Security might take too much time on CrowdStrike and there are fewer integration options with CrowdStrike.

I don't have much idea on disadvantages of Splunk Enterprise Security apart from the pricing.

I am currently working with Splunk products.

I work with Splunk Enterprise and Splunk Enterprise Security.

The process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security is pretty easy for me as an expert, but I'm not sure for a new user; being a Splunk architect, I feel it's a little easy and the customization is very helpful.

We have it integrated with various disparate solutions including RSA, CrowdStrike, AWS, Google, Microsoft, Docker, firewalls, switches, and multiple other technologies.

This integration supports my security operations by fetching logs about user activity and audit logs and actions taken by the user; for normal products, this allows me to analyze, detect, and correlate two or three different datasets to build up a use case from which I can deduce some information, and with the queries I have using SPL queries, I can get some data analytics or alerts or reports based on which I can take action.

I use risk-based alerting in Splunk Enterprise Security.

My experience with risk-based alerting, while not mainly focused on the SOC part of Splunk Enterprise Security, provides support to my engineering efforts.

I am not currently using any new threat detection features in Splunk Enterprise Security; I have no idea about that part of it.

My impressions of Splunk Enterprise Security's capability to predict, identify, and solve problems in real-time depend on what kind of data is being received and the use cases being written; it is not straightforward, but because Splunk Enterprise Security is an analytics platform without AI on top of it, it feels that some data sources are less predictable, yet for jobs that are repetitive or similar, Splunk Enterprise Security works well.

I would rate this product a 9 out of 10.

My use case for the project is thin.

What I appreciate about Splunk Enterprise Security is creating the newest SPL for network traffic. I use the risk-based alerting feature. The risk-based alerting helps my organization by allowing me to learn more information about Splunk every day because it is a big platform.

I think that Splunk Enterprise Security is a very good platform, but the price is very high. I don't know how to explain what else can be improved in Splunk Enterprise Security aside from pricing. Support is important for improvements. My thoughts on better support include better knowledge base and better response time; it encompasses both aspects.

I moved to Splunk Enterprise Security and learned it for two to three years, but in the last year, I worked with my friends on one project.

I rate the stability as a five. I encounter issues such as downtime, bugs, glitches, and unbox errors.

Only two users use Splunk Enterprise Security.

Support is important for improvements. My thoughts on better support include better knowledge base and better response time; it encompasses both aspects. I rate support as a five.

Positive

I think it was easy to install, but this platform has many components I must learn. It took me months to deploy.

I am reviewing Splunk Enterprise Security today, and I am working on one simple product and creating simple SPL. My thoughts on customizing, developing, testing, deploying, and refining detections are focused on detection. The testing is just the last component. My thoughts on the testing feature in Splunk Enterprise Security involve the network traffic to Cisco traffic, Uniper, or low car infrastructure. I am using new threat detection features in Splunk Enterprise Security and would work on big projects in the future. I do not use disparate security solutions that integrate or import data into Splunk Enterprise Security. I am wanting to learn more because I create simple SPL, and my friends are not Splunk Enterprise Security expert admins. I would recommend Splunk Enterprise Security to other users because it is a platform for monitoring all traffic, network infrastructure, hardware, software, and everything.

I rate the solution overall as a five out of ten.

My main use cases for Splunk Enterprise Security are responding to alerts, looking for logs, and for investigations.

The features I appreciate the most about Splunk Enterprise Security are the basic search capabilities, seeing what I input into the search and what results I receive, such as the charts and their visibility. These features benefit my organization by helping with our investigations; when we receive something, we're able to quickly find its source and nature. Everything I'm seeing now in Splunk Enterprise Security is effective, especially the AI and the Attack Analyzer, which I found particularly impressive.

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is not with Splunk itself, but with our own asset management and knowing what our assets are, particularly regarding visibility.

I have been using Splunk Enterprise Security for about a year.

I have experienced maybe one downtime, crash, or performance issue.

I would describe the stability and reliability of Splunk Enterprise Security as good, with only a couple of issues that were within our own team.

Splunk Enterprise Security has been good so far in scaling with the growing needs of my organization; we haven't been growing too much to where it's a problem, but it's been performing well.

I would say we haven't seen any return on investment with Splunk Enterprise Security because we are still maturing and trying to get everything situated, and we're experiencing roadblocks with other teams not wanting to give us what we need.

Splunk Enterprise Security handles problems in real-time. 

When rating Splunk Enterprise Security overall, I'd give it a nine out of ten. I appreciate that it has a good UI that looks good and works well. I would recommend Splunk Enterprise Security.

My main use cases for Splunk Enterprise Security are detections and security.

The feature I appreciate the most about Splunk Enterprise Security is Search Processing Language. These features have benefited my organization by making searching data a lot easier than other tools I've used.

Improvement for Splunk Enterprise Security is hard to address because I'm not on version 8 yet. The main thing was integrating all the different pages we have into one, which they have accomplished in version 8.1.2. I'm looking forward to using it.

I have been using Splunk Enterprise Security for two years.

I would assess the stability and reliability of Splunk Enterprise Security as having no issues so far.

Splunk Enterprise Security appears to scale with the growing needs of my organization. We haven't expanded usage at all yet.

I would evaluate customer service and technical support as seven or eight out of ten. They're normally great. Sometimes talking through email isn't the most effective method, as they go through troubleshooting steps we've already taken, which requires additional back-and-forth communication.

Positive

I would imagine we have seen return on investment with Splunk Enterprise Security.

My advice to other organizations considering Splunk Enterprise Security is that it is definitely worth implementing, but it must be done properly. Make sure you have all preparations complete before getting the implementation package. I rate Splunk Enterprise Security eight out of ten.

We have customized use cases for Splunk Enterprise Security as per our environment, due to our infrastructure related to cloud, virtualization, and a few application servers, along with Active Directory management, where we look for user interface and access management. We receive alerts related to any password breaches or unauthorized user access, or if any applications stop running. 

Consequently, we created multiple customized use cases, and accordingly, we receive alerts on Splunk Enterprise Security. It integrates with other tools for threat intelligence and anomaly detection. We are enjoying a good experience so far, and our admins ensure that the use cases are well-maintained. Additionally, they perform fine-tuning as needed. 

We have some database servers integrated for alerting us about unused services. We communicate with our database admins regarding incidents related to data management issues. We suggest actions to the database admins based on these alerts for better data management.

Splunk Enterprise Security is highly customizable, which is an excellent feature. We are continually fine-tuning it to meet our requirements, and everything has been smooth thus far. We also have well-designed dashboards that allow us to visualize data from various use cases in comprehensive graphs, which is beneficial for management reviews, especially during inspections, to display the status of our environment.

We monitor multiple environments, and those environments are integrated with Splunk Enterprise Security, functioning effectively.

In terms of visibility, it offers insights into integrated devices such as firewalls, cloud infrastructure, and virtual machines. The extent of visibility corresponds to the number of devices we integrate with Splunk Enterprise Security. We have access management servers and Threat Intelligence integrated, enhancing visibility across various elements in our environments.

Splunk Enterprise Security provides good visibility into our environments.

Splunk Enterprise Security aids us in detecting threats faster. Over time, it has incorporated enhanced AI support that enables self-analysis and offers valuable feedback. It operates as an intelligent tool, parsing and generating relevant incidents effectively.

Splunk Enterprise Security significantly improves our organization's business resilience. Since my introduction to Splunk Enterprise Security in 2022, I have observed an increase in its intelligence levels, and I look forward to integrating more infrastructure with it. Our reliance is shifting more towards Splunk Enterprise Security for providing solid decision-making capabilities and easy integrations with multiple cybersecurity and IT infrastructure controls.

Splunk Enterprise Security has helped reduce our alert volume to a good extent. It goes beyond mere incident handling by providing feedback to IT infrastructure personnel and database administrators. The incident responses have enabled us to make several environmental corrections, reducing flaws and incidents over time. For instance, alerts related to unnecessary service account logins have prompted us to give feedback to admins, which reduces their workload. False positives are a notable aspect we address to minimize unnecessary alerts, while true positives associated with malware or MITRE framework indicators prompt effective management action.

Splunk Enterprise Security accelerates security investigations. The tool contains extensive data, and the key lies in how to extract that information, depending on the analyst's capability. Our company emphasizes obtaining Splunk Core admin and user certifications to enhance our understanding of the Splunk Enterprise Security product.

I find it beneficial that Splunk Enterprise Security easily integrates with other tools. Due to its excellent API capabilities, it facilitates connections with various cybersecurity tools. We utilize different controls, such as Anomaly and Threat Intelligence, and also integrate it with Data Diode, which assists in one-way communication for infrastructure. Splunk Enterprise Security can seamlessly receive logs from various infrastructures, including Data Diode and firewalls.

We utilize Threat Topology and MITRE ATT&CK features, as these aspects fall under the MITRE ATT&CK framework. They provide coverage for continuous user activities and password issues. The MITRE ATT&CK framework is beneficial for detection and outbound traffic, and it offers a good number of default use cases that we have implemented in our environment.

In terms of recommendations for improvement, when performance degradation occurs, we need to do a root cause analysis. The repeated tendency to inform us about memory utilization complaints encourages us to consider adjusting our query needs. Improving the infrastructure behind Splunk Enterprise Security is vital—enhanced cores, CPUs, and memory should be prioritized to support better processing power. When we execute heavy, resource-intensive queries over long periods, the performance dips. Our admin quickly intervenes to correct resource bottlenecks, allowing everything to function properly again.

I have been working with Splunk Enterprise Security for approximately two years now.

I find it easy to scale Splunk Enterprise Security for our environment, and I would rate its scalability an eight.

I have sought assistance from Splunk Enterprise Security support in the past, particularly during deployment, and they provide friendly and effective help.

Having experienced using QRadar from IBM, I find Splunk Enterprise Security more intelligent and supportive.

The deployment of Splunk Enterprise Security is straightforward, and integration with other security controls is quite easy after the initial setup.

Initially, we required the assistance of Splunk Enterprise Security consultants for the deployment process.

I have noticed a return on investment with Splunk Enterprise Security, as it delivers substantial value for money. This is why we are keen on expanding our infrastructure under Splunk Enterprise Security rather than other SIEM options.

We are currently using Splunk Enterprise Security for our SOC in our office, and as long as the office continues its use, we will still be using it.

I haven't faced any other difficulties apart from the CPU resource issues. I find Splunk Enterprise Security to be very customizable and user-friendly. The only consideration is that if we want to increase the volume of logs processed, we need to buy more licenses.

Maintaining Splunk Enterprise Security requires personnel, especially due to the existence of different search heads and various forwarders in our robust setup, supporting a centralized logging environment.

I find it easy to scale Splunk Enterprise Security for our environment, and I would recommend that potential users consider their capacity to invest financially based on the criticality of their infrastructure, as adoption comes with licensing costs.

I would rate Splunk Enterprise Security an eight out of ten.

I lead a team that does Splunk administration. We mainly worry about the platform itself, ensuring everything works, log sources are coming in, and assisting with searches. We have a dedicated security team that represents the user side, the consumers of that data. We try to get all the log sources in for them so they can create detections, alerts, dashboards, and their own custom app integrations. We support them as much as we can in the platform, and they do their security work based on that.

The biggest thing that Splunk is known for across all its platforms is aggregation. We have thousands of log sources coming in, and Splunk Enterprise Security does a great job of correlating that information and making it very searchable and usable for the end user. This is my most enjoyable feature. 

Splunk Enterprise Security is a huge value-add to us because I can confirm that our security team treats it as a normal component of their daily operations. They access Splunk Enterprise Security multiple times every single day doing their job. This proves substantial value given they need it that frequently, and considering the proportion of our contract.

Even though aggregation is one of the best features, they do poorly at integrating their own products with each other. There is Splunk Cloud, which handles searching, and there is Splunk Enterprise Security. In the backend, these are separate instances, even though the data comes from essentially the same database source. When I make changes on one platform, it may or may not affect the other side. This leaves me with uncertainty between what I'm doing in one, not knowing if it will affect the same thing on the other side. By extension, I sometimes make redundant changes already done on the other side. The discrepancy between the different search heads leaves me confused most of the time about these changes.

Their support also needs improvement.

I have been using this solution for about two years now.

For stability, I would give it an A grade. The platform generally runs exceptionally. It occasionally experiences brief interruptions, but their operations people who manage the cloud side typically have the system back up before I receive a response to my submitted ticket. They are very aware of their system's stability on the operational side.

For performance, I would give it a B grade. Some of the performance issues could be due to our own tuning that we could improve. However, Splunk is designed to handle vast amounts of data, and in my opinion, it should operate a bit faster, especially when initiating searches or processing smaller jobs. It would be helpful if these tasks could run more quickly because, once the search actually starts, it performs well. The initial parsing phase, when running a new search, can take quite a while, and I find it frustrating to have to wait during that part.

In terms of infrastructure, I cannot speak to it since it is cloud-based and operates as a black box regarding scaling. However, when it comes to handling increased data loads, Splunk Enterprise Security performs exceptionally. When we onboard new things, new log sources, or experience extra volume from heavy firewall activity, Splunk Enterprise Security processes all the data efficiently. From the time a log is generated on a system to when it reaches Splunk Enterprise Security is extremely fast. Though search time might be slightly slower than preferred, ingestion time for logs to hit the cloud is fantastic.

Both quality and speed are lacking. Quality-wise, tickets sometimes go in circles, with unnecessary complications and escalations requiring repeated explanations.

Speed is particularly problematic. I submitted a high-priority ticket for a broken login configuration to Splunk Enterprise Security, called twice, and received no response from Friday until the following Monday. After escalating to our sales team requesting immediate response for our security team's broken access, we finally received assistance, and we were able to get back on track, but I was really unhappy with the situation. It was a critical priority issue that they were not addressing appropriately. We have paid for Splunk support, and we’re not on the free tier hoping for assistance; we are a significant customer and invest a lot in this service. Given our active contract, we expect to receive better support. This area definitely needs improvement.

Neutral

I previously used AlienVault, an open source solution, but was not as deeply involved with it as I am with Splunk Enterprise Security.

The initial setup precedes my time with the company. When I started using it, it was a bit of a challenge. Splunk Enterprise Security is extensive and complex. The setup was not necessarily more difficult than regular Splunk Core since they are integrated, but the learning curve was quite steep. It took approximately six months to feel comfortable administering the full system independently.

The solution requires significant maintenance. It is very stable, but to keep things moving forward, we must do considerable work. Apps or add-ons we install require our own updates if they are not default ones offered by Splunk Enterprise Security. The baseline configuration gets upgraded automatically, which I appreciate. However, maintaining all other add-ons falls to us, which requires substantial work, especially as Splunk Enterprise Security is aggressive with their updates and minor versions. We must constantly do compatibility checks or create technical debt by staying behind versions sometimes, not knowing what features we might miss.

The pricing is very reasonable for what it offers us. Out of our entire contract, Splunk Enterprise Security represents approximately 15% of our total Splunk expenditure. Splunk Enterprise Security is a huge value add to us because our security team treats it very much as a normal component of their daily operations. They go into Splunk Enterprise Security multiple times every single day doing their job. That means that it proves a lot of value to where they need it that frequently. Given the proportion of our contract, there is a lot of value right there.

Splunk Enterprise Security has approximately seven different AI capabilities. These include natural language processing for search query assistance, machine learning for alerts and data processing, and plugins such as Tensor for external AI processing. However, I remain cautious about enabling all AI features without understanding their performance impact. 

I would rate Splunk Enterprise Security a nine out of ten.

We primarily used Splunk Enterprise Security for data and cloud ingestion. We also leveraged it for enterprise security use case engineering, which encompassed malware analysis, threat management, detection, and the integration of threat and vulnerability intelligence, culminating in comprehensive reporting and dashboards. This was the principal use case for our SIEM platform. In recent years, we have also employed Splunk for user behaviour analytics to bolster insider threat protection.

We implemented Splunk Enterprise Security to improve security monitoring, threat detection, and incident response.

Although Splunk is not the only tool we use, it is essential that it provides end-to-end visibility into threats in our environment.

Splunk is effective for helping find security events across multiple cloud, on-premises, or hybrid environments.

Splunk helps improve our organization's ability to ingest and normalize data.

Splunk helps us identify threats in real-time.

We integrated 50 percent of the MITRE ATT&CK framework's techniques to enhance our incident detection capabilities.

Splunk Enterprise Security effectively analyzes various security events and has helped improve my organization's ability to ingest and normalize data.

Splunk helped us detect threats faster. 

Splunk Enterprise Security reduced the investigation time by consolidating datasets for quick access.

Splunk Enterprise Security enhances business resilience and assists with threat detection by centralizing security data.

I have a positive impression of Splunk's ability to predict, identify, and solve problems.

Splunk Enterprise Security helps reduce our mean time to resolve.

The Splunk Enterprise Security's threat-hunting capabilities have been particularly useful in later releases.

Splunk Enterprise Security would benefit from a more robust rule engine to reduce false positives. While its detection capabilities are efficient, there is room to improve its alert volume reduction and false positive management efficiency. Furthermore, enhancements in its integration capabilities with other security infrastructures could optimize its overall effectiveness.

I have been using Splunk Enterprise Security for 13 years.

In terms of stability, Splunk is good. It provides a stable environment but needs to integrate with ITSM platforms to achieve better visibility.

Splunk Enterprise Security is efficient and scalable, especially for large environments with substantial scalability needs.

The technical support for Splunk met my expectations.

Positive

I haven't switched to Splunk from another solution, but I have used various products, such as Google Chronicle, Securonix, ExtraHop, and Sumo Logic, to meet different customer needs. Securonix is used more for behavioural analytics and insider threats, whereas Splunk is used for logging and monitoring.

The initial setup of Splunk Enterprise Security is straightforward, but it does require skilled personnel.

The implementation involved an architect, cloud DevOps engineer, data engineer, full-stack developers, and cybersecurity engineers. A team of five to six members, tailored to different roles, was typical.

Splunk's cost is justified for large environments with extensive assets. However, for smaller organizations, other products may provide better value for money.

Splunk is priced higher than other solutions.

I would rate Splunk Enterprise Security nine out of ten.

Splunk Enterprise Security requires continuous maintenance and support, which requires a dedicated team. Previously, seven to eight personnel were focused on platform maintenance. Additional resources may be required to optimize for multiple customer environments. 

For those evaluating SIEM solutions solely based on cost, Splunk might not be suitable. It is essential to consider security, context, and specific use cases rather than just choosing based on price. Critical assets need the right platform for effective protection rather than opting for a cheaper solution.

We use it for real-time monitoring and alerts for all instances and servers on our sub-prod instances. It helps in monitoring, getting alerts for specific errors, and identifying various logs. We also use it for log analysis, which is very beneficial.

My use case is more related to production issues. Threat detection is taken care of by another team.

It is our go-to tool for monitoring multiple cloud environments. The difficult part initially is to understand how the logging is happening for particular applications or instances. Once you have an understanding of what you want to see and how they are getting generated, you can just write queries, and you can create exhaustive dashboards for anybody to look at and understand how things are.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. Its threat detection capabilities are good. We can look at the exact activity and task. We can look at a trace and understand what is happening. It gives a very granular understanding. I see emails from the security team mentioning what they have identified, so it seems to be helpful for threat detection.

Based on the org mail that we received, they were able to block almost 95% of threats in real time. That is a pretty good number.

Splunk Enterprise Security helps to reduce alert volume because you can understand patterns, such as where your requests are going and how everything is happening. There has been a 40% to 50% reduction.

Splunk Enterprise Security has helped speed up our security investigations by 40% to 50%. It has helped the security team to get a head start and understand where the issue is originating and where the problem is. We are operating in a very dynamic environment, so any time lost costs the company money.

I can create dashboards to collect and view information in a tabular, graphical format. This feature is important because it helps me understand time-series data over one or two hours. It creates graphs, allowing us to check spikes and examine average values and 90th and 95th percentile values. This capability is useful for performance monitoring and issue identification. I believe it has helped speed up security investigations.

Data retention can be better. If we want to look at the data for five months or six months, that is not available to us. We only have a history of 20 or 30 days. After that, the information gets lost. That is a drawback. 

Splunk's dashboards are pretty basic. In comparison to Grafana, the dashboards are not as detailed. There is room for improvement in that area.

I have been using it for about one and a half years now.

It is stable. I have not encountered any stability issues so far.

It is easy to scale. We have multiple instances, sub-instances, and prod instances running, so scalability is not a problem.

It is being used by development teams, QA teams, performance teams, and security teams. We have about 500 people using it.

It is good. I have not had any major issues where support was lacking, so I would rate it positively.

Positive

In this organization, I did not use any similar solution. In my previous organization, we used APM tools like Dynatrace and AppDynamics, which helped us monitor real-time data and performance. Splunk is a similar tool but offers more capabilities and is also cost-effective.

It was an organizational decision to go with Splunk Enterprise Security. It involved financial considerations and the kind of deal Splunk provided, as we are using the enterprise version and another version. Economics, capabilities, and support were factors.

I was not involved in its deployment. When it comes to maintenance, another team looks after it and takes care of maintenance.

I have not been involved in the finance part, so I cannot comment on ROI or costs. However, preventing incidents or solving performance issues saves money, converting time saved to money. Customers are happy. Employees are happy. There is less downtime.

I am not aware of the costs; that is handled by a separate team. I only use it for logs and performance issues.

Instead of going for the cheapest solution available, you should go for the one that meets your needs. It takes time for an organization to onboard a new solution, so it is important to choose the right solution from the start. I believe all available solutions are pretty good, so you should see what suits you better.

It is a great tool. If you learn to navigate it, you can access a wide range of information about any application or product. It is a very helpful tool, provided you know how to use it. 

Overall, I would rate it a nine out of ten.