Splunk Enterprise Security Reviews

I have created various correlation searches to develop use cases for detecting security threats. For example, I have created use cases to identify brute force attacks, unauthorized access, denial of service attacks, and distributed denial of service attacks. To date, I have developed a total of 190 use cases for our environment using Splunk Enterprise Security.

The end-to-end visibility provided by Splunk Enterprise Security is crucial. Its user-friendly interface makes it easy to navigate and configure. The intuitive options allow for simple customization, enabling users to easily select and configure settings. This feature, combined with the excellent support from the Splunk team, makes it a valuable tool for addressing enterprise security issues and creating or modifying use cases.

Splunk's website provides a variety of simple commands for identifying security events. These commands and pre-built security fields make it easy to detect real-time attacks, monitor environments, and identify security threats. Splunk offers a more straightforward and efficient approach than other monitoring tools.

Splunk automatically ingests and normalizes data, eliminating the need for human intervention. When data is ingested, it is automatically converted into index-friendly formats within most source pipes.

The MITRE ATT&CK framework is a valuable tool for security teams, and its integration with Splunk Enterprise Security offers significant benefits. By mapping specific MITRE ATT&CK tactics to Splunk use cases, analysts can quickly identify the root cause of security incidents and access relevant information for remediation. For example, if a brute force attack occurs, an analyst reviewing the incident can quickly determine the corresponding MITRE ATT&CK tactic and access detailed information about the attack, including potential solutions, mitigation strategies, and potential future actions. This seamless integration between MITRE ATT&CK and Splunk empowers security teams to respond to threats more effectively and efficiently.

Splunk has significantly enhanced my business resilience and problem-solving capabilities. Due to the urgency of different issues, there are four types of Splunk support cases: P1, P2, P3, and P4. P1 cases are incredibly critical and require immediate attention. If a business-critical issue arises, I can open a P1 case, and the Splunk support team will respond within 15 minutes. This rapid response has enabled me to resolve critical issues promptly. For P2 cases, the support team typically connects within two to three hours. P3 cases receive a response within 24 hours. Overall, the Splunk support team consistently resolves issues efficiently.

After deploying the use case, we immediately observed the benefits of Splunk Enterprise Security. We can instantly monitor enterprise security use cases in our environment without delay. However, as a precautionary measure, we deploy use cases and monitor them for seven days. If the use case does not generate excessive noise within this period, we deploy it to the final environment. Otherwise, we refrain from deployment. Splunk's capability allows us to deploy use cases within seconds.

Splunk helps me consolidate all the data, such as networking and cyber security data. If there are other types, such as behaviour analysis, we can perform them with the help of Splunk. But I'm mainly in the cyber security field, so I am more concerned with Splunk for cyber security data only. For example, in my PhD, I created my thesis based on medical performance monitoring. I monitor the performance health condition of one million people with the help of Splunk. So, this is not a cybersecurity use case I'm creating there. I monitor the health condition with the help of a Splunk Enterprise. If a health condition is significant, the alert immediately goes to the doctor, physician, and their relative.

My alert volume has decreased significantly. Splunk is a machine that generates alerts based on specific use cases or service queries. Before implementing a new use case or alert, we must analyze how many alerts it will trigger. If it generates fewer than one alert per day, it's acceptable. However, I will only deploy it if it generates one daily alert. This approach allows me to reduce the alert volume effectively using Splunk Enterprise Security.

Splunk streamlined my security investigations by consolidating logs into a single repository. The Splunk community provided invaluable assistance, enabling me to quickly find answers to my security-related questions and address concerns promptly. By leveraging the collective knowledge of the global community, I expedited my security processes and enhanced overall security measures.

Splunk reduces the mean time to resolve because it enables L1 SOC analysts to view relevant data in the power role field directly. For example, when a brute force attack alert triggers, analysts can easily see the source IP, time of the alert, user, destination IP, and other critical fields. This immediate access to information allows for swift preventive measures, countermeasures, and efficient resolution of cybersecurity issues. Splunk's clear and intuitive interface empowers even junior analysts with only one year of experience to effectively apply their knowledge and address security challenges.

The two features I like most in Splunk Enterprise Security are the content management system and the inter-incident review dashboard. The incident review dashboard allows us to directly view significant events triggered by the use cases I've configured within the content management system.

I suggest that Splunk provide the same resources on its platform, as on other websites through Google. For instance, they could offer pre-built search queries for everyday use cases like brute force attacks, DDoS attacks, and other security threats. These queries would be generated based on my specific data, saving me the time and effort of creating them manually. This would be incredibly beneficial and align with the AI capabilities already present in Splunk Enterprise Security.

I have been using Splunk Enterprise Security for eight years.

In the eight years I have used Splunk Enterprise Security, I have experienced no stability issues. There has been no downtime or crashing. The only problems I have encountered were temporary interruptions in some features, lasting approximately 15 minutes.

Splunk Enterprise Security is highly scalable. For example, I currently have one terabyte of data to deploy, and tomorrow, I need to deploy ten terabytes. In that case, the system can easily accommodate the increased load without compromising performance. It is extremely fast and efficient, ensuring no issues even as the input data volume grows. The system adjusts quickly to meet the demands of expanding data requirements.

I have contacted Splunk technical support three times in the past fifteen days due to various issues encountered while using Splunk. Each time I reached out, they responded promptly and assisted me in resolving the problems.

Positive

I have used several alternatives to Splunk, such as AppDynamics, Dynatrace, and Oracle Enterprise Manager. However, I have found Splunk Enterprise and Splunk Enterprise Security the most effective tools for my needs. These platforms are easy to use, allowing for flexible parameter customization and dynamic adjustments to meet specific requirements.

The initial deployment of Splunk Enterprise Security was straightforward due to my prior experience learning and using various tools. I found it to be significantly easier to implement than similar software.

I set up my lab independently, being new to the environment at the time and eager to learn. I visited the Splunk website and discovered the free courses they offer. Using these courses, I successfully configured my lab. Splunk provides valuable assistance for setting up personal labs and offers a 60-day trial version. This version allows for direct log setup and hands-on practice of Splunk skills without cost.

Splunk Enterprise Security's pricing is competitive. For instance, the cost typically increases proportionally with the daily license volume. For example, purchasing a 100 GB license per day is less expensive than buying one GB per day. A discount is offered for larger volume purchases.

I would rate Splunk Enterprise Security eight out of ten.

The use cases depend on how you want detections to be set up. For example, you can have specific use cases for Office 365 alerts, Carbon Black, or more extensively towards MITRE ATT&CK framework. You can enable different analysis stories and alerts based on these use cases. You can individually go ahead and enable them. 

It is really important that Splunk Enterprise Security provides end-to-end visibility into our environment because there are multiple levels of hierarchy within an organization. 

We need easy visibility starting from L0 analysts to the SOC manager and director. So, if it is easily visible, it makes the operations easy to teach the basic analyst or also to show the upper management what we have in the current scenario or how an investigation is going on. Visibility is very important.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data. We have different teams approaching us to use Splunk, ingest their logs, and aggregate their logs.

The system helped us reduce our alert volume mostly because a lot of false positives had been fine-tuned. That was my last two months of work consolidated. I had to go in, check on all the alerts, see what was using a huge spike in alerts, and make sure the false positives were reduced and the alerts had come down. 

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. It makes investigations much easier. With more information and the right applications, I break down the investigation in such a way that I can build a timeline. Once I have a timeline, I can build a story around it and make a report around it. Splunk definitely has helped a lot.

Splunk Enterprise Security helped reduce our mean time to resolve. Using the identity investigator and asset investigator applications definitely reduces the meantime for an investigation. I can see all the authentication logs, changes made, and threat IDs by simply inputting a username or asset name. It reduces investigation time by about 60 to 75%.

We currently use it for our security team. The next step is to pitch it to different teams and get it integrated for them as well.

The most valuable features include the incident review and Dashboard Studio. My job involves building dashboards, so it's easy to visualize and explain the environment using Dashboard Studio. 

Incident review with my SOC job helps me check all the incidents and alerts coming in.

Having analysts put their notes directly within the investigation feature in the incident review would be beneficial. To make notes. 

We have to go to multiple tabs for each dashboard, for each incident, or each application within Splunk, so if there is a way to consolidate all the tabs or everything into one app for that particular organization where an analyst could just click on that and everything is there. That would be a really good feature.  

I've been using Splunk for about five years now. I started at my previous job right after my master's. I was working for Santander Bank, where I used Splunk extensively for three years. I was a SOC analyst there.

Now at the current company, I've been here for about a year, so I've been using it here as well.

Cisco being Cisco, just bought Splunk. I would give it some more time to see how things go. 

Prior to Splunk's acquisition by Cisco, Splunk was really good. 

Overall, the customer service and support were very good. At times, we had difficulties reaching out for your questions but most of the time, they were answered. Due to the time constraints, we had just 100 hours working with the consultant. So some things kind of took some time with that.

Positive

When I joined this current company, they had Rapid7. It was horrendous and horrible. It was not easy to use. I'm kind of partial to Splunk because I started off with Splunk, so, we switched. 

I joined last July and asked my manager about the current solutions. He was not happy with how Rapid7 was working either. We evaluated different vendors, including Microsoft Defender and Sentinel. My preference for Splunk played a role in our decision.

We had a consultant for the integration process. They were very helpful. We had a consultant named Sayed who guided us through the process. They provided step-by-step instructions (kinda baby steps), walked us through analytics and restoring, and different aspects of Splunk. It was a really helpful experience.

It's only been about two and a half to three months. It's still fairly new to our environment. I would give it three to four more months before assessing ROI.

We evaluated Sentinel, Palo Alto, and Splunk, along with Rapid7, which was already in the environment. So, we evaluated these four options. 

Splunk gave us the opportunity to take in or put in the logs whatever we wanted and plug in different applications, whichever we wanted to have the visibility. 

We didn't have that flexibility with Palo Alto and Sentinel. We didn't have the investigation ease with the others; the investigation ease within Splunk is very easy. 

I could build an SQL query within a minute, or I could just open up different documents to have it right there. But if I go to Palo Alto, it's not there. 

Defender was quite a good competition. Like Sentinel, it was a good competition, but Splunk stopped where the investigation time was considerably less compared to Sentinel.

Overall, I would rate it a nine out of ten because we haven't integrated a lot of applications like SOAR and stuff. Once we have everything in place, it might be a ten. But right now, I would go with a nine.

I use other types of security solutions that integrate or import data into Splunk Enterprise Security, such as EDRs, firewalls, and other security products. The integration supports my security operations by providing one clear view of threat detections from firewalls and imported data.

The features of Splunk Enterprise Security that I appreciate the most are out-of-the-box detections. These features have benefited my organization because it's a product we sell, and we sell detecting threats in the organization.The features have benefited the organizations I sell to because without them a lot would have been self-programmed, and they support us in very different ways.

It's difficult to answer how Splunk Enterprise Security can be improved because I'm hearing AI mentioned frequently in the keynote. It's definitely out there and it's improving the whole process. I think that a lot of effort is going into the realization of AI, but some effort is left out because they don't always mention that the outcome has to always be verified. You just say, 'Ask AI to narrow down the threats, show me how to write an email, summarize it up,' but the additional process that comes with it is verifying it all. Maybe question it, and sometimes it's wrong and you have to start over. I think improving it would be either having different AI responses to cover more, or always having to verify the user, not relying on an answer.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection are not in the product; they're in the human aspect. Writing the query and knowing what to search for is not a product problem.

I have been using Splunk Enterprise Security for two years.

I would evaluate customer service and technical support for Splunk Enterprise Security as good on a scale of one to 10.

Positive

My experience with pricing, setup cost, and licensing is that it's expensive.

I think the value of Splunk Enterprise Security is there, but it is one of the most expensive solutions on the market.

My organization uses risk-based alerting in Splunk Enterprise Security, which supports our SOC by negating through false positives. On a scale of one to 10, I would rate Splunk Enterprise Security an eight.

We are using the SIEM platform in our security operations center. We use it both for internal purposes, for monitoring the alerts coming from our network, as well as we have built security operation center services for our B2B customers. We are using QRadar, Splunk Enterprise Security, and more recently, we have added Elastic on top of it.

The features of Splunk Enterprise Security that I find the most useful include the event collector and the tool for analyzing the incidents. The dashboard that we use summarizes the alerts within a certain period of time. The customizable dashboard feature helps to improve the team's decision-making skills because it provides us with a clear image of the types of events that we have within a month, and we are able to classify them based on severity.

I do not really have any additional features that I would want to see in Splunk Enterprise Security. The ticketing platform could be improved. We are using our own ticketing platform right now, but we have integrated it into Splunk Enterprise Security to communicate and report back to our customers on the events to have constant interaction.

I have been working with Splunk Enterprise Security for more than five years.

I have not faced any issues with stability or upgrades so far.

Splunk Enterprise Security is easy to scale for scalability. We onboard more and more endpoints from our customer infrastructure without any issues scaling it up.

We provide the Splunk Enterprise Security Threat Intelligence framework as a level three service for hunting and deeper inspection. We aggregate everything into a threat intelligence platform and provide feedback to our customers on their events.

Positive

Splunk Enterprise Security is quite easy to set up, especially the on-premises solution.

I have contacted Splunk Enterprise Security support for issues through a local partner that we work with. They provide the first level of support and in case there is a problem with the platform, they escalate it to the vendor.

Since implementing Splunk Enterprise Security, I have seen a return on investment. It is primarily a safety tool, so we do not expect a return on investment, but since we use the platform as an MSSP partner for Splunk Enterprise Security, we incur revenues for the services that we provide to our customers. We had a business case and the TCO looks quite acceptable.

Splunk Enterprise Security is reasonably priced compared to other platforms, and the licensing model is quite flexible. Based on the gigabyte of data that we ingest on a daily basis, it is quite well positioned in the market.

The event collector has been useful for us to gather logs from our customer's infrastructure. We have VPN connections with our customers, and we use the event collector to gather data from their network devices and incorporate it into the SIEM platform for further analysis.

The integration of Splunk Enterprise Security with our existing security infrastructure has influenced our threat detection capabilities as we use it as an independent tool. We have other security tools in place, such as firewalls from FortiGate, from Fortinet. We have some endpoint protection solutions, but we have integrated everything into the Splunk Enterprise Security platform. We use it as an XDR platform to collect logs from different sources, from clouds, from active directory, from endpoints, from routers, from firewalls, from all the points in our customer's infrastructure.

For the time being, we are quite satisfied with Splunk Enterprise Security. We are waiting for the AI engine to get more mature and to use it more extensively.

I would rate Splunk Enterprise Security a nine out of ten.

I work in the pharma industry, and I use Splunk to aggregate all my reporting logs for my firewall and Active Directory logs. We have anti-spam, web application firewalls, and other solutions to secure our perimeter. We use Splunk for log management and have a stack to transpose a log from the firewall to a VM. When we directly feed the firewall logs to Splunk, they become intermittent and freeze. 

The biggest benefit is that we can manage all the logs from every device on a single dashboard. I can put the log from the core system into Splunk to analyze for abnormal behavior and show that to the developer to improve it. Splunk can also analyze our security devices for security posture for CRM and ISO requirements, helping the organization obtain its ISO certificates.

We started to see the benefits of Splunk when we created our first dashboard. Based on the dashboard information, we can get deep insights from the log, where we define a security incident or event and assign a score to repetitive events. For example, we receive brute force attacks, where the hacker attempts to try a thousand or a million passwords. This will trigger alerts on the dashboard or email. We are not monitoring 24/7, so we can get alerts from Splunk. We can detect threats faster from firewalls and antivirus. 

The consolidation helps us identify the source of the threat faster. They can analyze the forensics to dig into information from the log and correlate the devices. A unified log from various devices can simplify the IT team's response and reduce the alert volume by 35 percent. 

Splunk can deliver more information by going deeper. By creating a dashboard, we can identify the root cause of the threat. Let's say I have a firewall from Check Point. Splunk will find the dashboard for Check Point, implement it in our environment, and connect it to the Check Point firewall logs, which are shown on the dashboard. If we request a custom dashboard, the engineer will take longer to complete the task. 

I can create a custom dashboard for the firewall, antivirus, or endpoint protection. This will take time to complete because they need to understand the log type and mitigation of the process from the system or API.

Splunk helps us manage our hybrid environment, including our email system. The main email system is Microsoft Exchange, which is deployed on-premise, and the second is Office 365. There isn't much security for the hybrid environment. We get logs from the web application firewall, the firewall, and the anti-spam solution. 

Splunk should align its security principles with those of other vendors like SentinelOne. Splunk has mature APIs that can communicate with various security applications and devices. Splunk can process more to produce an understandable dashboard.

Splunk's latest version is much better than before. It's more resilient and powered by AI. It can ingest more complex logs. It will be better because we're using the legacy one.

I have used Splunk for around six years.

I rate Splunk 10 out of 10 for stability. We've had no problems as long as we ensure we have capacity planning for the log system, which is growing every second. 

I rate Splunk nine out of 10 for scalability. 

I rate Splunk support eight out of 10. Support was great, and they responded quickly. 

Positive

Splunk is our first SIEM, but we'd like to explore Wazuh more.

It's hard to say whether deploying Splunk was straightforward or complex because sometimes the consultant did the work for us. I handled the operations side, and the consultant did the project itself. It was completed in two days. 

Splunk is expensive. It's based on the data inside the log. If you produce bigger logs, the cost goes up. We pay a license up to a set size, let's say 100 gigabytes, and if we have 101, they charge us for the overage. We pay about a billion Indonesian rupiah. 

There are many cheaper solutions. Microsoft Sentinel is also a little expensive, but there are cheaper ones like Wazuh, Graylog, and Rapid7.

I rate Splunk Enterprise Security nine out of 10. If you want to use Splunk, you can try the free version, which goes up to half a gig. You can feed a log from the Active Directory. If you take that information directly from Active Directory, it will be hard to read. Splunk provides a good dashboard. 

Splunk is an excellent choice for an organization that needs a fully scalable and highly customizable solution. We can customize the dashboard to combine all the device logs. Unfortunately, others still need to learn how to do that. It depends on an organization's needs and resources because it's not cheap.

It's on the higher end of pricing, which can be a significant factor for small organizations with budget constraints. It's more appropriate for the enterprise level and companies with over 500 employees. 

I am on the intelligent engineering team responsible for onboarding logs and operationalizing Splunk Enterprise. We have a separate team for creating use cases and other stuff. I onboard logs and manage the infrastructure. When you onboard various logs, it creates different data models and normalizes the fields for compliance.

We have created a few custom use cases for Splunk that have helped us detect threats faster. For example, we set up endpoint-related data models and specialized setups for various scenarios. It's more efficient than some other products I've used. 

Splunk has sped up our security investigations. We can automate some functions using playbooks, like automating scans for perimeter vulnerability. If you have the signatures, Splunk can intervene automatically to block threats according to the playbook. 

Splunk lets us integrate multiple third-party threat intelligence feeds. We can also customize the data models for correlation more than we could with competing SIEM solutions. We can filter out the noise and see our alerts. 

I created some security reports or dashboards. We also have dashboards for user requests related to our firewalls, like Palo Alto and traffic or activity alerts. We can also see where we're getting a lot of authentication failures, etc. We've also created some other custom use cases, like using VPN logs and use cases for analyzing the national origins of repetitive malware. We have integrated some other solutions like Carbon Black EDR or MDR as well as Vectra, which is fully automated with AI. They have their own signatures.

We get decent visibility with Splunk and integration with data visualization tools like Grafana. We also have various threat intelligence feeds that are updated regularly with the latest IOCs and signatures, which we can use for threat hunting. 

The access and identity features could be improved. For example, let's say we have onboarded 65 logs. Now, we can identify the various processes, but we run into trouble when we're updating the processes for AWS CloudTrail, EDR, MDR, and XDR. 

I have used Splunk for the past three or four years. 

Splunk is stable. It has around 97 percent uptime in my environment. 

I rate Splunk Enterprise Security nine out of 10 for scalability. 

I rate Splunk technical support seven out of 10. We rarely rely on Splunk support except for critical upgrades and migrations. Sometimes, we open a ticket if we see a performance problem, and they find a solution. Typically, we find a solution for our issues online in user forums or knowledge bases.  

Neutral

Previously, we used some open-source solutions, Sumo Logic, and Graylog. 

We have Splunk deployed in two environments for different purposes. One is for ITSI, general dashboards, and our APM application. That is deployed in the cloud. We have it in an on-premises environment for enterprise security. We have a cluster that spans three data centers. Deploying Splunk is easy if you have some experience.  Configuring the log sources, managing the indexes, and learning all the features is more challenging. 

Splunk doesn't require maintenance aside from the disaster recovery and DLP aspects. We have a huge environment in different data centers set up for high availability. 

Splunk is expensive, but you can get a lot out of it if you have the expertise and know how to customize it. It's more customizable than other platforms.  In Java or .NET, everything is pretty defined, so you can't do much customization, whereas Splunk lets you customize dashboards, alerts, and reports using SQL. The cheapest solution is always open source, but these products don't have many capabilities. They might work in a small environment. I would recommend trying LogRhythm, ELK, or Google Chronicle.

Splunk is very expensive because we have recently integrated another solution, and 40 percent of the licensing cost is driven by that. 

I rate Splunk Enterprise Security nine out of 10. I would recommend Splunk to others. When implementing Splunk, it's crucial to set up your use cases, onboard threat intelligence and log sources, and create data models. Using simple XML language, you can create a data model and a simple pivot table to generate complex reports. 

We mostly use the solution for compliance, logging, log storage, and root cause analysis. In 2015, we had AIG as a client, and they only had Splunk. Splunk Enterprise Security is one of the oldest solutions that did the logging and storage.

Splunk has fantastic brand value, which helps us sell it as resellers. The solution's pricing is quite competitive. The solution meets all the requirements. As a compliance person, I know that log storage is very important for data privacy compliance guidelines like ISO or CCPA. Splunk provides all of those compliances and checkmarks.

I like that the tool is light and the agent doesn't slow down the machine. Splunk Enterprise Security is a standard solution providing good customer service and partnership.

The solution should improve regional knowledge of the new regulations coming out of the Middle East. As a consulting firm, we are currently targeting many Middle Eastern markets, including Saudi Arabia and Dubai. They don't have a local server support cloud center there, which is a big issue because they don't want their data to go out of the region. Splunk should have more regional data centers in the Middle East.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security provides good stability.

The solution's scalability is fantastic. Even 10,000 to 50,000 endpoints don't slow anything down. The servers, log storage, and ingestion work smoothly, irrespective of whether there are 5,000 or 50,000 endpoints.

The solution’s technical support is very good.

Our customers using Splunk Enterprise Security don't have any compliance issues, and they don't get fined by the regulators, which saves them money.

Splunk Enterprise Security's pricing is pretty competitive.

I'm a consultant who uses Splunk for other clients. It's important for the clients that it can communicate with all kinds of devices, like firewalls, WAFs, servers, endpoints, switches, and routers. All of that is figured out over time, which is useful.

Splunk Enterprise Security is a good tool for finding security events across multi-cloud, on-premises, or hybrid environments.

Splunk has helped improve our organization's ability to ingest and normalize data. It can also identify and solve P1 or high-critical-priority problems in real-time.

Splunk Enterprise Security has helped us reduce our alert volume by around 50%.

The solution provides us with the relevant context to help guide our investigations, and this context information has impacted our investigation process. Having all the data in a single place does help with post-incident response and forensic root cause analysis.

Splunk Enterprise Security has significantly helped speed up our security investigations. I save 60% to 70% of my time because it's easier to find what I want to find through the tool's user interface.

Splunk Enterprise Security has helped reduce our mean time to resolve by around 50%.

Overall, I rate the solution ten out of ten.

We use Splunk Enterprise Security to secure our client's network and provide clear visibility.

Our client lacked an SIEM solution to comply with regulations, so we recommended Splunk Enterprise Security, and they agreed to implement it.

Splunk Enterprise Security provides complete visibility into the environment. We can add any data to the indexer, and it will begin to be displayed. All we need to do is create use cases tailored to the client's needs.

Splunk's threat intelligence management capabilities are strong, thanks to its user-friendly interface and ability to correlate data from various sources. While it competes favorably with other SIEM tools, its effectiveness ultimately depends on how it's configured.

The actionable intelligence from Splunk's threat intelligence management feature helps us understand what's happening in our environment, enabling further investigation.

We updated the IOCs within the MITRE ATT&CK framework indexing for Splunk. This allows us to compare all received alerts against the MITRE ATT&CK categories. By using the MITRE ATT&CK framework, I can identify the potential type of threat, its mitigation strategies, and the overall attack behavior. Furthermore, I can use the framework to investigate the affected hosts, their origin, and the attack vector.

Splunk Enterprise Security does a good job analyzing malicious activities and detecting breaches.

Splunk Enterprise Security has improved our detection time.

Splunk Enterprise Security has improved our clients' security posture by providing them with better visibility into vulnerabilities, along with proper mitigation strategies and clear explanations. The benefits are apparent within the first month.

Splunk Enterprise Security helped us reduce our alert volume. Initially, the high number of alerts was overwhelming because we were in a new environment, but the volume gradually leveled off and decreased by 50 percent.

Splunk Enterprise Security has accelerated our security investigations by 30 percent. It integrates seamlessly with our EDR solution, providing a single pane of glass view for all security logs.

Splunk Enterprise Security offers valuable features like seamless integration and a SQL-standard Structured Query Language for easy searching. Additionally, implementing devices is straightforward, similar to a plug-and-play process.

Splunk's insider threat detection capabilities have limitations. While it offers customization, pre-configured rules for common threats are scarce. This means we need to create our own rules, which can be effective if we have the expertise and understand our specific needs. However, behavior analytics seem less useful and have room for improvement.

Splunk's implementation process for managing multiple indexes can be complex, especially when dealing with a large number of components.

Splunk could benefit from a feature that allows users to indicate they are working on an alert or incident. This would prevent other users from wasting time investigating the same issue. Ideally, this wouldn't involve a formal assignment, but rather a temporary indication that someone is currently looking into it.

I have been using Splunk Enterprise Security for 9 months.

Splunk Enterprise Security is reliable and the stability is a ten out of ten.

Splunk Enterprise Security offers good resilience. Even for unsupported tools, simple integrations can be customized. Splunk is constantly improving.

I would rate the scalability of Splunk Enterprise Security ten out of ten.

The technical support team is excellent. They proactively identify and inform clients about any vulnerabilities or security gaps in their environment.

Positive

The initial deployment of Splunk Enterprise Security was fairly straightforward. While the documentation is comprehensive, fully deploying the solution can be time-consuming. The timeframe can vary depending on your environment's complexity. For instance, a company with 1500 to 2000 employees and a large number of systems and servers might require a month for complete deployment.

I collect the client's requirements and then open a support ticket with Splunk. The ticket will address configuration assistance and, if the deployment is in the cloud, will inquire about the client's storage needs. After I submit the ticket, Splunk will communicate directly with the client.

The deployment involves several teams, and I lead the oversight of both the deployment itself and the analytics function, ensuring a seamless process.

While some clients find the cost of Splunk Enterprise Security to be on the higher end, its pricing is comparable to other SIEM solutions. Ultimately, the value it delivers justifies the investment.

Don't simply choose the cheapest SIEM solution. Consider your organization's specific needs and environment. Even if you prioritize affordability right now, I can offer more powerful tools. However, the best solution isn't just about price. It depends entirely on your environment. Therefore, you need to establish a budget based on your specific requirements. Ultimately, the ideal SIEM solution aligns with your organization's needs.

I would rate Splunk Enterprise Security 8 out of 10.

Splunk Enterprise Security requires maintenance for new onboarding, log management, and archiving. A maximum of two people are required for the maintenance.

Splunk Enterprise Security is a robust security solution that's easy to manage after initial configuration.