Splunk Enterprise Security Reviews

I have created various correlation searches to develop use cases for detecting security threats. For example, I have created use cases to identify brute force attacks, unauthorized access, denial of service attacks, and distributed denial of service attacks. To date, I have developed a total of 190 use cases for our environment using Splunk Enterprise Security.

The end-to-end visibility provided by Splunk Enterprise Security is crucial. Its user-friendly interface makes it easy to navigate and configure. The intuitive options allow for simple customization, enabling users to easily select and configure settings. This feature, combined with the excellent support from the Splunk team, makes it a valuable tool for addressing enterprise security issues and creating or modifying use cases.

Splunk's website provides a variety of simple commands for identifying security events. These commands and pre-built security fields make it easy to detect real-time attacks, monitor environments, and identify security threats. Splunk offers a more straightforward and efficient approach than other monitoring tools.

Splunk automatically ingests and normalizes data, eliminating the need for human intervention. When data is ingested, it is automatically converted into index-friendly formats within most source pipes.

The MITRE ATT&CK framework is a valuable tool for security teams, and its integration with Splunk Enterprise Security offers significant benefits. By mapping specific MITRE ATT&CK tactics to Splunk use cases, analysts can quickly identify the root cause of security incidents and access relevant information for remediation. For example, if a brute force attack occurs, an analyst reviewing the incident can quickly determine the corresponding MITRE ATT&CK tactic and access detailed information about the attack, including potential solutions, mitigation strategies, and potential future actions. This seamless integration between MITRE ATT&CK and Splunk empowers security teams to respond to threats more effectively and efficiently.

Splunk has significantly enhanced my business resilience and problem-solving capabilities. Due to the urgency of different issues, there are four types of Splunk support cases: P1, P2, P3, and P4. P1 cases are incredibly critical and require immediate attention. If a business-critical issue arises, I can open a P1 case, and the Splunk support team will respond within 15 minutes. This rapid response has enabled me to resolve critical issues promptly. For P2 cases, the support team typically connects within two to three hours. P3 cases receive a response within 24 hours. Overall, the Splunk support team consistently resolves issues efficiently.

After deploying the use case, we immediately observed the benefits of Splunk Enterprise Security. We can instantly monitor enterprise security use cases in our environment without delay. However, as a precautionary measure, we deploy use cases and monitor them for seven days. If the use case does not generate excessive noise within this period, we deploy it to the final environment. Otherwise, we refrain from deployment. Splunk's capability allows us to deploy use cases within seconds.

Splunk helps me consolidate all the data, such as networking and cyber security data. If there are other types, such as behaviour analysis, we can perform them with the help of Splunk. But I'm mainly in the cyber security field, so I am more concerned with Splunk for cyber security data only. For example, in my PhD, I created my thesis based on medical performance monitoring. I monitor the performance health condition of one million people with the help of Splunk. So, this is not a cybersecurity use case I'm creating there. I monitor the health condition with the help of a Splunk Enterprise. If a health condition is significant, the alert immediately goes to the doctor, physician, and their relative.

My alert volume has decreased significantly. Splunk is a machine that generates alerts based on specific use cases or service queries. Before implementing a new use case or alert, we must analyze how many alerts it will trigger. If it generates fewer than one alert per day, it's acceptable. However, I will only deploy it if it generates one daily alert. This approach allows me to reduce the alert volume effectively using Splunk Enterprise Security.

Splunk streamlined my security investigations by consolidating logs into a single repository. The Splunk community provided invaluable assistance, enabling me to quickly find answers to my security-related questions and address concerns promptly. By leveraging the collective knowledge of the global community, I expedited my security processes and enhanced overall security measures.

Splunk reduces the mean time to resolve because it enables L1 SOC analysts to view relevant data in the power role field directly. For example, when a brute force attack alert triggers, analysts can easily see the source IP, time of the alert, user, destination IP, and other critical fields. This immediate access to information allows for swift preventive measures, countermeasures, and efficient resolution of cybersecurity issues. Splunk's clear and intuitive interface empowers even junior analysts with only one year of experience to effectively apply their knowledge and address security challenges.

The two features I like most in Splunk Enterprise Security are the content management system and the inter-incident review dashboard. The incident review dashboard allows us to directly view significant events triggered by the use cases I've configured within the content management system.

I suggest that Splunk provide the same resources on its platform, as on other websites through Google. For instance, they could offer pre-built search queries for everyday use cases like brute force attacks, DDoS attacks, and other security threats. These queries would be generated based on my specific data, saving me the time and effort of creating them manually. This would be incredibly beneficial and align with the AI capabilities already present in Splunk Enterprise Security.

I have been using Splunk Enterprise Security for eight years.

In the eight years I have used Splunk Enterprise Security, I have experienced no stability issues. There has been no downtime or crashing. The only problems I have encountered were temporary interruptions in some features, lasting approximately 15 minutes.

Splunk Enterprise Security is highly scalable. For example, I currently have one terabyte of data to deploy, and tomorrow, I need to deploy ten terabytes. In that case, the system can easily accommodate the increased load without compromising performance. It is extremely fast and efficient, ensuring no issues even as the input data volume grows. The system adjusts quickly to meet the demands of expanding data requirements.

I have contacted Splunk technical support three times in the past fifteen days due to various issues encountered while using Splunk. Each time I reached out, they responded promptly and assisted me in resolving the problems.

Positive

I have used several alternatives to Splunk, such as AppDynamics, Dynatrace, and Oracle Enterprise Manager. However, I have found Splunk Enterprise and Splunk Enterprise Security the most effective tools for my needs. These platforms are easy to use, allowing for flexible parameter customization and dynamic adjustments to meet specific requirements.

The initial deployment of Splunk Enterprise Security was straightforward due to my prior experience learning and using various tools. I found it to be significantly easier to implement than similar software.

I set up my lab independently, being new to the environment at the time and eager to learn. I visited the Splunk website and discovered the free courses they offer. Using these courses, I successfully configured my lab. Splunk provides valuable assistance for setting up personal labs and offers a 60-day trial version. This version allows for direct log setup and hands-on practice of Splunk skills without cost.

Splunk Enterprise Security's pricing is competitive. For instance, the cost typically increases proportionally with the daily license volume. For example, purchasing a 100 GB license per day is less expensive than buying one GB per day. A discount is offered for larger volume purchases.

I would rate Splunk Enterprise Security eight out of ten.

The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

The most valuable features include the incident review and Dashboard Studio. My job involves building dashboards, so it's easy to visualize and explain the environment using Dashboard Studio. 

Incident review with my SOC job helps me check all the incidents and alerts coming in.

Having analysts put their notes directly within the investigation feature in the incident review would be beneficial. To make notes. 

We have to go to multiple tabs for each dashboard, for each incident, or each application within Splunk, so if there is a way to consolidate all the tabs or everything into one app for that particular organization where an analyst could just click on that and everything is there. That would be a really good feature.  

I've been using Splunk for about five years now. I started at my previous job right after my master's. I was working for Santander Bank, where I used Splunk extensively for three years. I was a SOC analyst there.

Now at the current company, I've been here for about a year, so I've been using it here as well.

Cisco being Cisco, just bought Splunk. I would give it some more time to see how things go. 

Prior to Splunk's acquisition by Cisco, Splunk was really good. 

Overall, the customer service and support were very good. At times, we had difficulties reaching out for your questions but most of the time, they were answered. Due to the time constraints, we had just 100 hours working with the consultant. So some things kind of took some time with that.

Positive

When I joined this current company, they had Rapid7. It was horrendous and horrible. It was not easy to use. I'm kind of partial to Splunk because I started off with Splunk, so, we switched. 

I joined last July and asked my manager about the current solutions. He was not happy with how Rapid7 was working either. We evaluated different vendors, including Microsoft Defender and Sentinel. My preference for Splunk played a role in our decision.

We had a consultant for the integration process. They were very helpful. We had a consultant named Sayed who guided us through the process. They provided step-by-step instructions (kinda baby steps), walked us through analytics and restoring, and different aspects of Splunk. It was a really helpful experience.

It's only been about two and a half to three months. It's still fairly new to our environment. I would give it three to four more months before assessing ROI.

We evaluated Sentinel, Palo Alto, and Splunk, along with Rapid7, which was already in the environment. So, we evaluated these four options. 

Splunk gave us the opportunity to take in or put in the logs whatever we wanted and plug in different applications, whichever we wanted to have the visibility. 

We didn't have that flexibility with Palo Alto and Sentinel. We didn't have the investigation ease with the others; the investigation ease within Splunk is very easy. 

I could build an SQL query within a minute, or I could just open up different documents to have it right there. But if I go to Palo Alto, it's not there. 

Defender was quite a good competition. Like Sentinel, it was a good competition, but Splunk stopped where the investigation time was considerably less compared to Sentinel.

Overall, I would rate it a nine out of ten because we haven't integrated a lot of applications like SOAR and stuff. Once we have everything in place, it might be a ten. But right now, I would go with a nine.

Through Splunk Enterprise Security, we have implemented extensive login integration. This allows us to monitor and restrict access for sensitive accounts, such as superuser and master accounts when password rotations occur. If a login attempt is made for such an account, Splunk triggers a real-time workflow that automatically generates a P1 ticket for the Help Desk and IAM Operations teams to investigate and take necessary action.

Beyond real-time monitoring, we have established additional security measures. We utilize locks within JBOS to control manual account check-ins and user server activity, such as password verifications. Splunk ingests logs from any configured PAM solutions, enabling auditors and our technical team to readily access and analyze all privileged activities. We can also generate reports for session management, session logs, and audit logs.

Splunk Enterprise Security can enhance our organization's detection capabilities. While SIEM solutions are essential for most companies, choosing the right one is crucial. Splunk Enterprise Security is a popular option, and its benefits extend beyond technical teams. It can empower audit teams and provide visibility into user activities, including data sharing and out-of-the-box reports. Splunk's strength lies in its flexibility. It can integrate with other tools to fill any gaps in its capabilities. However, relying solely on one tool like Splunk isn't ideal. PAM tools often have built-in auditing and reporting features, but they may not offer the same level of customization or enterprise-wide visibility. This is where Splunk comes in. It provides a complementary solution, offering multiple ways to generate reports and gain insights.

We recently focused on enhancing Splunk Enterprise Security's identity correlation capabilities. This involved integrating it with several chosen applications. One key integration involved moving from Puppet to Ansible for managing privileged access management and performing virtualization tasks. Ansible allows for agentless management, meaning we don't need to install agents on every server. For broader asset management, we leverage CI/CD tools for efficient deployment across all servers. These tools significantly reduce the manual effort required.

Splunk Enterprise Security offers good visibility into multiple environments. However, certain applications in the financial sector, particularly for high-risk activities, still face regulatory or compliance restrictions that prevent them from migrating to the cloud. Despite these limitations, we see forward-thinking institutions like JPMorgan Chase taking the initiative to move lower-risk applications to the cloud. This trend extends beyond finance, with other sectors like healthcare already embracing cloud adoption.

In my assessment, Splunk Enterprise Security earns an eight out of ten for its ability to detect malicious activities and breaches, but only a seven out of ten for taking action.

Once we have an enterprise version set up, Splunk handles the initial identification steps of potential threats, saving us manual effort. I'd even rate Splunk a perfect ten for this initial phase. However, subsequent action items still require manual intervention – a bottleneck we can minimize with additional tools like endpoint security threat analytics that integrate with Splunk. This would enable complete threat modeling, including asset identification and mitigation directly within Splunk. Unfortunately, our company hasn't invested heavily in threat modeling, with a limited team compared to the larger IAM and risk groups. Thankfully, the industry is recognizing the importance of threat modeling, leading to increased hiring in this area.

Splunk Enterprise Security has significantly reduced our alert volume. This has freed up a substantial portion of the IM operations team, who were previously tasked with continuously monitoring for threats and anomalies across various applications, not just spam. By leveraging these threat detection tools, we anticipate being able to reduce IM operations staff by at least 50 percent.

Splunk Enterprise Security facilitates the acceleration of our security investigations, reducing the required time from one week to one day.

One of the features I appreciate most is privileged account threat detection. It identifies suspicious activity associated with fraudulent accounts detected on the endpoints of target systems.

Furthermore, the platform offers threat analysis and reporting that leverages Splunk data. This allows for the detection of irregular user access from machines directly. This functionality is crucial in large PAM environments with thousands of users, as it identifies inactive accounts.

For scenarios where users might not access the PAM portal to change passwords, different policies are implemented. Splunk plays a key role in detecting irregular user activity. By establishing a three-month threshold, we can identify cases where users haven't used their accounts despite not being on leave or vacation. Such instances warrant investigation to determine the continued need for privileged access.

We can automatically suspend or terminate suspicious sessions. We have also customized reporting within Splunk.

There are limitations with Splunk not detecting all user activity, especially on mainframes and network devices. This is because Splunk relies on agents, which cannot access certain workstations. In these cases, we have to rely on application data. For example, with mainframes, manual reports are generated and sent to Splunk, limiting visibility to what's manually reported. This lack of automation for specific platforms needs improvement from Splunk. Additionally, API access is limited for other applications that rely on API calls and requests. This requires heavy customization on Splunk's end. These are the main challenges we've encountered.

Monitoring multiple cloud platforms, like Azure, GCP, and AWS, with Splunk Enterprise Security presents some challenges. While Splunk provides different connectors for each provider, consolidating data from two domains across distinct cloud environments can be complex. However, leveraging pre-built templates and Splunk's data collation capabilities can help overcome these hurdles. Despite initial difficulties, I believe Splunk can effectively address this task, earning it an eight out of ten rating for its multi-cloud monitoring capabilities.

While Splunk Enterprise Security offers insider threat detection capabilities, its effectiveness could be enhanced by integrating with additional tools, such as endpoint security solutions. This integrated approach is particularly crucial for financial institutions, which often require dedicated endpoint security teams. While using multiple tools is valuable, further improvements within Splunk itself are also necessary. Considering both external integration and internal development, I would rate its current insider threat detection capabilities as three out of ten.

Threat detection is where Splunk falls behind. While it offers tools, other use cases require additional work. PAM is an enterprise tool that centralizes information about users, servers, and everything else. It needs real-time monitoring, which I haven't seen in any of the companies I've worked for. They only rely on Splunk for alerting, but real-time monitoring should be handled by the endpoint security team's tools. This means there's no detection or analysis at the machine or endpoint level. Additionally, threat analysis reporting is also absent.

I currently use Splunk Enterprise Security.

Splunk Enterprise Security's scalability and ability to handle large data volumes is great. Splunk can manage a lot of users and applications. I would rate the scalability a nine out of ten.

The technical support is a bit expensive but they respond quickly.

Positive

Splunk Enterprise Security is expensive but the solution is equipped with a lot of features.

My rating for Splunk Enterprise Security depends on the type of logs being analyzed and the company's specific environment and setup. If a company is actively comparing Splunk to competitors and their environment aligns well with Splunk's strengths, then a score of nine out of ten is justified. 

We typically suggest Splunk IT builds for customers with significant EPS requirements and large-scale data environments. While other solutions like Foundry and IBM QRadar may be popular, they often have limitations in handling big data effectively.

It offers visibility across various environments, encompassing diverse infrastructures such as multiple firewalls. Some environments are entirely cloud-based, while others follow a hybrid model with services both on-premises and in the cloud. The infrastructure setup varies depending on the organization's specific model and needs.

We are highly satisfied with the level of visibility provided by Splunk.

It offers advanced threat detection capabilities to assist organizations in uncovering unknown threats and anomalous user behaviors. Splunk is utilized for integrating various devices including firewalls and other security controls, enabling coordination of logs and the creation of use cases. Analysts investigate alerts generated by these use cases, identifying and mitigating potential threats. Additionally, Splunk provides built-in and customizable use cases to enhance security measures.

We utilize the threat intelligence management feature in Splunk, which includes the provision of IOCs. Additionally, we have third-party intelligence services integrated into Splunk, which alert us whenever any related feature is triggered.

The effectiveness of the actionable intelligence offered by the threat intelligence management feature hinges on the third-party engines integrated or enabled within it. While false positives are common and require investigation, there are instances where identified IOCs are indeed malicious. In such cases, actions like reporting or following a predefined playbook can be taken.

We leverage the Splunk Mission Control feature, and I have hands-on experience with it. Typically, I manage it through Splunk, where I create rules, reports, and dashboards. Enabling third-party intelligence and other features involves a thorough review process, particularly when onboarding new clients. Once set up, we regularly review our baseline configuration and make adjustments as needed to ensure optimal performance. The Splunk Mission Control feature aids our organization in centralizing our threat intelligence and ticketing system data management. We integrate third-party intelligence services along with our company's proprietary advisories, particularly in the retail sector. This integration enables us to maintain a comprehensive reference set within Splunk.

We utilize the Threat Topology and Mitre ATT&CK Framework features to enhance our understanding of threats. These features offer micro-mapping visibility, allowing us to align identified needs with specific techniques.

The purpose of the Mitre ATT&CK Framework is to aid in discovering and understanding the full scope of an incident. Using the micro-hypotheses, we assess whether our subcontractors are adequately covered. We evaluate our rules to determine whether we have sufficient use cases for tactics and techniques, such as initial access. This process helps us identify any gaps in coverage within the Mitre ATT&CK Framework and address them accordingly.

Splunk is a valuable service for analyzing malicious activities and detecting breaches. However, I recommend ensuring comprehensive coverage of threats by integrating all relevant devices and maximizing visibility into logs. For instance, leveraging firewall logs enables the detection of anomalies at the network level, while logs from EDR solutions can identify malicious activities on endpoints.

Splunk has significantly improved our threat detection speed. Comparatively, when working with other teams, I've found Splunk to be more efficient due to its big data capabilities, allowing for faster analysis compared to IBM QRadar and similar tools.

The primary benefits our customers experience from utilizing Splunk in their organization are significant. While Splunk may be more costly compared to other machine solutions, its effectiveness shines in handling large volumes of data, making it ideal for organizations with extensive data needs. Unlike solutions like IBM QRadar, which may struggle with processing large amounts of data efficiently, Splunk's big data capabilities enable it to excel in such scenarios.

Splunk Enterprise has effectively decreased our alert volume across various use cases. Whenever we develop a new use case, we carefully analyze it, occasionally encountering false positives. In such instances, we collaborate with IT to whitelist these cases. Over time, as we accumulate a robust whitelist, the ratio of false positives diminishes, resulting in a higher rate of true positive alerts.

It has significantly accelerated our security investigations, proving to be immensely helpful. We can efficiently track and analyze user activities with most devices integrated into the Splunk environment. The visibility provided by Splunk allows us to coordinate activities seamlessly and thoroughly investigate any detected incidents. Whether it's identifying the origin of an activity or uncovering correlations between events, Splunk enables us to piece together the entire user activity chain swiftly and effectively.

Compared to other SIEM products, I've found that Splunk offers quicker alert resolution times. Its ability to efficiently handle large data volumes contributes to this advantage. Analysts typically have predefined playbooks and investigation checklists for when alerts are triggered, which Splunk supports well. Additionally, we've customized dashboards and reports to further streamline our detection process, ultimately reducing our response time.

For those seeking cost-effective solutions, Elastic Stack stands out as a popular choice due to its single-source administration and competitive pricing. Many industries, recognizing its affordability and robust services, are swiftly adopting Elastic and other similar solutions like Wazuh.

The value of resilience in a SIEM solution varies depending on the organization's preferences and requirements. Some organizations prioritize high availability and disaster recovery capabilities, which contribute to resilience.

As an analyst, I've observed that Splunk offers a variety of rule sets, along with built-in and customizable use cases. We have the flexibility to create dashboards and expand reports for management visibility. One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities. With Splunk, we can seamlessly integrate and coordinate data from various sources, enhancing our analytical capabilities.

I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

I have been working with it for two years.

It provides good stability capabilities.

The scalability of Splunk, particularly when implemented as an enterprise solution, is notable. While we work with a limited number of clients, typically five to six, they are spread across various locations, including the US and Pakistan. From a maintenance perspective, our operations are based in Pakistan. Our clientele predominantly consists of customers from Gulf countries, and we also extend our services to clients in the US.

There have been instances where the response time from Splunk's support team has been slower in comparison to others. I find IBM QRadar and similar solutions to have more efficient support teams. I would rate it five out of ten.

Neutral

Our deployment team handles both deployment and support services, including maintenance responsibilities.

It offers a return on investment for our company.

Overall, I would rate it eight out of ten.

I use other types of security solutions that integrate or import data into Splunk Enterprise Security, such as EDRs, firewalls, and other security products. The integration supports my security operations by providing one clear view of threat detections from firewalls and imported data.

The features of Splunk Enterprise Security that I appreciate the most are out-of-the-box detections. These features have benefited my organization because it's a product we sell, and we sell detecting threats in the organization.The features have benefited the organizations I sell to because without them a lot would have been self-programmed, and they support us in very different ways.

It's difficult to answer how Splunk Enterprise Security can be improved because I'm hearing AI mentioned frequently in the keynote. It's definitely out there and it's improving the whole process. I think that a lot of effort is going into the realization of AI, but some effort is left out because they don't always mention that the outcome has to always be verified. You just say, 'Ask AI to narrow down the threats, show me how to write an email, summarize it up,' but the additional process that comes with it is verifying it all. Maybe question it, and sometimes it's wrong and you have to start over. I think improving it would be either having different AI responses to cover more, or always having to verify the user, not relying on an answer.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are not in the product; they're in the human aspect. Writing the query and knowing what to search for is not a product problem.

I have been using Splunk Enterprise Security for two years.

I would evaluate customer service and technical support for Splunk Enterprise Security as good on a scale of one to 10.

Positive

My experience with pricing, setup cost, and licensing is that it's expensive.

I think the value of Splunk Enterprise Security is there, but it is one of the most expensive solutions on the market.

My organization uses risk-based alerting in Splunk Enterprise Security, which supports our SOC by negating through false positives. On a scale of one to 10, I would rate Splunk Enterprise Security an eight.

We are using the SIEM platform in our security operations center. We use it both for internal purposes, for monitoring the alerts coming from our network, as well as we have built security operation center services for our B2B customers. We are using QRadar, Splunk Enterprise Security, and more recently, we have added Elastic on top of it.

The features of Splunk Enterprise Security that I find the most useful include the event collector and the tool for analyzing the incidents. The dashboard that we use summarizes the alerts within a certain period of time. The customizable dashboard feature helps to improve the team's decision-making skills because it provides us with a clear image of the types of events that we have within a month, and we are able to classify them based on severity.

I do not really have any additional features that I would want to see in Splunk Enterprise Security. The ticketing platform could be improved. We are using our own ticketing platform right now, but we have integrated it into Splunk Enterprise Security to communicate and report back to our customers on the events to have constant interaction.

I have been working with Splunk Enterprise Security for more than five years.

I have not faced any issues with stability or upgrades so far.

Splunk Enterprise Security is easy to scale for scalability. We onboard more and more endpoints from our customer infrastructure without any issues scaling it up.

We provide the Splunk Enterprise Security Threat Intelligence framework as a level three service for hunting and deeper inspection. We aggregate everything into a threat intelligence platform and provide feedback to our customers on their events.

Positive

Splunk Enterprise Security is quite easy to set up, especially the on-premises solution.

I have contacted Splunk Enterprise Security support for issues through a local partner that we work with. They provide the first level of support and in case there is a problem with the platform, they escalate it to the vendor.

Since implementing Splunk Enterprise Security, I have seen a return on investment. It is primarily a safety tool, so we do not expect a return on investment, but since we use the platform as an MSSP partner for Splunk Enterprise Security, we incur revenues for the services that we provide to our customers. We had a business case and the TCO looks quite acceptable.

Splunk Enterprise Security is reasonably priced compared to other platforms, and the licensing model is quite flexible. Based on the gigabyte of data that we ingest on a daily basis, it is quite well positioned in the market.

The event collector has been useful for us to gather logs from our customer's infrastructure. We have VPN connections with our customers, and we use the event collector to gather data from their network devices and incorporate it into the SIEM platform for further analysis.

The integration of Splunk Enterprise Security with our existing security infrastructure has influenced our threat detection capabilities as we use it as an independent tool. We have other security tools in place, such as firewalls from FortiGate, from Fortinet. We have some endpoint protection solutions, but we have integrated everything into the Splunk Enterprise Security platform. We use it as an XDR platform to collect logs from different sources, from clouds, from active directory, from endpoints, from routers, from firewalls, from all the points in our customer's infrastructure.

For the time being, we are quite satisfied with Splunk Enterprise Security. We are waiting for the AI engine to get more mature and to use it more extensively.

I would rate Splunk Enterprise Security a nine out of ten.

I work in the pharma industry, and I use Splunk to aggregate all my reporting logs for my firewall and Active Directory logs. We have anti-spam, web application firewalls, and other solutions to secure our perimeter. We use Splunk for log management and have a stack to transpose a log from the firewall to a VM. When we directly feed the firewall logs to Splunk, they become intermittent and freeze. 

The biggest benefit is that we can manage all the logs from every device on a single dashboard. I can put the log from the core system into Splunk to analyze for abnormal behavior and show that to the developer to improve it. Splunk can also analyze our security devices for security posture for CRM and ISO requirements, helping the organization obtain its ISO certificates.

We started to see the benefits of Splunk when we created our first dashboard. Based on the dashboard information, we can get deep insights from the log, where we define a security incident or event and assign a score to repetitive events. For example, we receive brute force attacks, where the hacker attempts to try a thousand or a million passwords. This will trigger alerts on the dashboard or email. We are not monitoring 24/7, so we can get alerts from Splunk. We can detect threats faster from firewalls and antivirus. 

The consolidation helps us identify the source of the threat faster. They can analyze the forensics to dig into information from the log and correlate the devices. A unified log from various devices can simplify the IT team's response and reduce the alert volume by 35 percent. 

Splunk can deliver more information by going deeper. By creating a dashboard, we can identify the root cause of the threat. Let's say I have a firewall from Check Point. Splunk will find the dashboard for Check Point, implement it in our environment, and connect it to the Check Point firewall logs, which are shown on the dashboard. If we request a custom dashboard, the engineer will take longer to complete the task. 

I can create a custom dashboard for the firewall, antivirus, or endpoint protection. This will take time to complete because they need to understand the log type and mitigation of the process from the system or API.

Splunk helps us manage our hybrid environment, including our email system. The main email system is Microsoft Exchange, which is deployed on-premise, and the second is Office 365. There isn't much security for the hybrid environment. We get logs from the web application firewall, the firewall, and the anti-spam solution. 

Splunk should align its security principles with those of other vendors like SentinelOne. Splunk has mature APIs that can communicate with various security applications and devices. Splunk can process more to produce an understandable dashboard.

Splunk's latest version is much better than before. It's more resilient and powered by AI. It can ingest more complex logs. It will be better because we're using the legacy one.

I have used Splunk for around six years.

I rate Splunk 10 out of 10 for stability. We've had no problems as long as we ensure we have capacity planning for the log system, which is growing every second. 

I rate Splunk nine out of 10 for scalability. 

I rate Splunk support eight out of 10. Support was great, and they responded quickly. 

Positive

Splunk is our first SIEM, but we'd like to explore Wazuh more.

It's hard to say whether deploying Splunk was straightforward or complex because sometimes the consultant did the work for us. I handled the operations side, and the consultant did the project itself. It was completed in two days. 

Splunk is expensive. It's based on the data inside the log. If you produce bigger logs, the cost goes up. We pay a license up to a set size, let's say 100 gigabytes, and if we have 101, they charge us for the overage. We pay about a billion Indonesian rupiah. 

There are many cheaper solutions. Microsoft Sentinel is also a little expensive, but there are cheaper ones like Wazuh, Graylog, and Rapid7.

I rate Splunk Enterprise Security nine out of 10. If you want to use Splunk, you can try the free version, which goes up to half a gig. You can feed a log from the Active Directory. If you take that information directly from Active Directory, it will be hard to read. Splunk provides a good dashboard. 

Splunk is an excellent choice for an organization that needs a fully scalable and highly customizable solution. We can customize the dashboard to combine all the device logs. Unfortunately, others still need to learn how to do that. It depends on an organization's needs and resources because it's not cheap.

It's on the higher end of pricing, which can be a significant factor for small organizations with budget constraints. It's more appropriate for the enterprise level and companies with over 500 employees. 

I am on the intelligent engineering team responsible for onboarding logs and operationalizing Splunk Enterprise. We have a separate team for creating use cases and other stuff. I onboard logs and manage the infrastructure. When you onboard various logs, it creates different data models and normalizes the fields for compliance.

We have created a few custom use cases for Splunk that have helped us detect threats faster. For example, we set up endpoint-related data models and specialized setups for various scenarios. It's more efficient than some other products I've used. 

Splunk has sped up our security investigations. We can automate some functions using playbooks, like automating scans for perimeter vulnerability. If you have the signatures, Splunk can intervene automatically to block threats according to the playbook. 

Splunk lets us integrate multiple third-party threat intelligence feeds. We can also customize the data models for correlation more than we could with competing SIEM solutions. We can filter out the noise and see our alerts. 

I created some security reports or dashboards. We also have dashboards for user requests related to our firewalls, like Palo Alto and traffic or activity alerts. We can also see where we're getting a lot of authentication failures, etc. We've also created some other custom use cases, like using VPN logs and use cases for analyzing the national origins of repetitive malware. We have integrated some other solutions like Carbon Black EDR or MDR as well as Vectra, which is fully automated with AI. They have their own signatures.

We get decent visibility with Splunk and integration with data visualization tools like Grafana. We also have various threat intelligence feeds that are updated regularly with the latest IOCs and signatures, which we can use for threat hunting. 

The access and identity features could be improved. For example, let's say we have onboarded 65 logs. Now, we can identify the various processes, but we run into trouble when we're updating the processes for AWS CloudTrail, EDR, MDR, and XDR. 

I have used Splunk for the past three or four years. 

Splunk is stable. It has around 97 percent uptime in my environment. 

I rate Splunk Enterprise Security nine out of 10 for scalability. 

I rate Splunk technical support seven out of 10. We rarely rely on Splunk support except for critical upgrades and migrations. Sometimes, we open a ticket if we see a performance problem, and they find a solution. Typically, we find a solution for our issues online in user forums or knowledge bases.  

Neutral

Previously, we used some open-source solutions, Sumo Logic, and Graylog. 

We have Splunk deployed in two environments for different purposes. One is for ITSI, general dashboards, and our APM application. That is deployed in the cloud. We have it in an on-premises environment for enterprise security. We have a cluster that spans three data centers. Deploying Splunk is easy if you have some experience.  Configuring the log sources, managing the indexes, and learning all the features is more challenging. 

Splunk doesn't require maintenance aside from the disaster recovery and DLP aspects. We have a huge environment in different data centers set up for high availability. 

Splunk is expensive, but you can get a lot out of it if you have the expertise and know how to customize it. It's more customizable than other platforms.  In Java or .NET, everything is pretty defined, so you can't do much customization, whereas Splunk lets you customize dashboards, alerts, and reports using SQL. The cheapest solution is always open source, but these products don't have many capabilities. They might work in a small environment. I would recommend trying LogRhythm, ELK, or Google Chronicle.

Splunk is very expensive because we have recently integrated another solution, and 40 percent of the licensing cost is driven by that. 

I rate Splunk Enterprise Security nine out of 10. I would recommend Splunk to others. When implementing Splunk, it's crucial to set up your use cases, onboard threat intelligence and log sources, and create data models. Using simple XML language, you can create a data model and a simple pivot table to generate complex reports.