Splunk Enterprise Security Reviews

We essentially use Splunk for our Security Operations Center (SOC). All of the notables that we create for the SOC are done in Splunk Enterprise Security. It is our SIEM.

I cannot put a value on it, but it has been pretty good. Previously, we used to use ArcSight. I used to do incident response when I first joined the SOC, and there were times when I used to sit down and run a search right at the start of my shift, which is at 7 AM, and I used to hope that it would be run by the end of the shift at 7 PM. I used to hope that it would run in 12 hours and not time out. When we got Splunk, it was a game changer. It took seconds to a minute depending on how intense the search was.

We monitor multiple cloud environments. It is easy to ingest data in Splunk. Based on what I hear from our customer success manager, he has customers who have issues ingesting logs, but for me, it is one of the easiest things ever. Their documentation is fantastic.

Splunk Enterprise Security has end-to-end visibility into our cloud-native environments. It is very important for us. When we first got cloud, it was like the Wild West. Anyone could spin up their own cloud infrastructure, and we would not know about it. It was public. We did not know what they were doing with it. Now, we have a better grasp and understanding of what is out there, so Splunk makes it easy for us to keep track of our endpoints that are public-facing.

Splunk Enterprise Security has helped reduce our mean time to resolve. As compared to ArcSight, it has saved at least three to four hours per incident. We utilize a SOAR platform. We do not use Splunk SOAR. We use a different SOAR platform, but with the combination of Splunk Enterprise Security and our SOAR platform, we are able to cut down our mean time to resolve. The time saved varies depending on the case. A normal case would probably take less than ten minutes per investigation. A critical P1 case would take more time, but a normal day-to-day case would take less than ten minutes for our analysts to do their work. A normal case is where a user clicks on a phishing link in an email, or your EDR solution says something happened and there is a threat actor in your environment moving laterally trying to access data.

The correlation searches are most valuable just because we are able to do things like RBA. One of the things that we started pretty recently is our insider threat program, and it has been pretty good, especially using RBAs as our framework for the insider threat.

The UI could be better. This is applicable to Splunk in general. I know that a lot of people who get their hands on Splunk are hesitant to use it just because they find it overwhelming. There are a lot of options. If you open Google.com, you just have a search bar. You just search and hit "go," but when people look at Splunk, they are just overwhelmed. I see that with our analysts. Even after training, if they do not use it every day, which they should be doing, they kind of lose it.

Its learning curve is a bit steep. It is hard for users to use it. For individuals who know how to use it, it is fantastic. It is great. For example, if you are a Splunk Cloud customer, and you had an outage or there is a maintenance window, those individuals who are power users would know immediately when it happens or they would know that there is a maintenance window coming up because they are the experts. They are the SMEs on their teams, and they are the ones creating value using Splunk. Individuals who do not know how to use it are intimidated.

We have been using Splunk Enterprise Security since 2017. It has been about six years.

Its stability is amazing. It is always up. It is fantastic.

It is awesome. When we first purchased Splunk Cloud, our ingest rate was about one terabyte or one and a half terabyte. We moved from the ingest-based license to the workload-based license three or four years ago, and now, we ingest about 10 to 12 terabytes. It is handling that just fine as if nothing has changed.

I would rate their support a six out of ten because there are times when someone picks up a support case, but they do not know what they are doing. I have to guide them. It is like, "I have already done the research. This is what needs to be done. There you go. Do it." I expect a little bit more from support in terms of having the knowledge upfront.

Neutral

We had on-premises ArcSight. We had one guy run it for our enterprise. Our enterprise has roughly over 130,000 people. We are a global company, and we had one guy run the entire infrastructure. We could tell when he took days off because it would not work. When we moved to Splunk, we went to Splunk Cloud immediately. We were one of the first Splunk Cloud customers or one of the bigger ones. That is what I was told when we made the switch.

I do not know whether we have seen any cost efficiencies by switching to Splunk Enterprise Security because I was not there during the ArcSight days per se. I was there at the very tail end, but I would assume that we have seen cost efficiencies just because ArcSight was only used by the security team, whereas Splunk is used enterprise-wide, not just by the security team. It should be cheaper for us. The value is there. It is cross-functional.

I was not involved in its deployment.

Its time to value was about a year. It took us about a year because back in 2017, we were making that conversion from an on-premise ArcSight deployment to a Splunk Cloud deployment. We had to make sure that everything that was being sent to ArcSight was sent correctly to Splunk. We had to make sure that everything was in a common information model format and that we could rebuild the content.

Splunk Enterprise Security is cheaper than competitors, but I do not know whether it is just our contract. 

Everyone says that Splunk, in general, is expensive. I have talked to many peers within our industry, and I know a lot of individuals who are moving away from Splunk just because of the price. That is one of the reasons why we are looking at other competitors to see if anyone is doing something better than Splunk and has a cheaper rate.

I have looked at other competitors. We recently looked at CrowdStrike's LogScale solution. It feels like Splunk to me. I cannot say how we would reproduce what we have done in Splunk on the infrastructure side or backend. Our environment is uniquely different. Technically, I am the only person who runs Splunk for our entire organization, similar to the way the previous person ran ArcSight for the organization. If I were to compare apples to apples, Splunk to me is still number one in that category.

Splunk's community is the biggest benefit. It is so easy to go to Slack and hit someone up. There is a good chance that you will find someone out there who has run into the exact same issue that you are having. Their documentation is fantastic. Because I am the only one who runs it for our organization, it is easy for me just to Google it, find the document, and just follow it. It is as simple as that. It gets a little dicey with XDR and all the other things that are happening in the market, such as using a data lake. Instead of putting our eggs in one basket or using Splunk, we might use something like Snowflake.

I get introduced to new ideas by attending the Splunk Conference. In the year before last, someone did a talk about business email compromises. Within our company, we did something similar, and we did it about nine to ten months before the talk. I listened to the talk to see if we were doing anything different from what they were doing. I found out that we were doing the exact same thing essentially. I thought, "We could have done a talk like this too." These talks are very helpful. For example, they showcased the attack analyzer, and currently, we are looking for an automated online sandbox, just like the attack analyzer. We have been looking at cloud-based sandboxes that are out there. Being able to see it hands-on and how it interacts with Splunk makes it much easier for us to make that decision.

Overall, I would rate Splunk Enterprise Security a nine out of ten.

My role is to design and implement and manage a strong environment. I need to ensure the available insights can be extracted efficiently and I use the solution for that. I also configure the Splunk custom dashboard and optimize searches to meet specific business needs. We also do a lot of troubleshooting and upgrading.

The security part is useful as it helps secure the entire environment. I designed the security aspect of it for a lot of applications in my company. It's the security thread within the application that we build. I'm able to use Splunk to secure the applications. 

We use the solution to monitor multiple cloud environments. We can monitor even on Amazon products. It's a good source for monitoring all types of applications. 

I can manage and correlate different kinds of searches within my environment. It's good for performance monitoring as well. I can do auditing and reporting through Enterprise Security.

The solution gives us visibility into multiple types of environments. There's a good level of cost optimization as well. It's good for end detection and prevention. I can identify anomalies and get a data view of fraudulent activities. You can uncover the source type and the IP address from where things originate.

Splunk gives us the capability to handle insider threat detection. I'm able to create my own dashboard that will visualize the information. It does depend on how you handle the configuration and permissions. 

We do use the MITRE ATT&CK framework. It helps us discover the scope of the incidents. It helps us to target incidents immediately. We're able to quickly resolve it and stop it. We get data visibility to see what's coming in, which helps us act fast. 

We can work with data from any source as long as you configure it correctly.

The solution has helped us to reduce our alert volume. You can tune your alert thresholds. You can also create rules to define your alerts. It gives you the capacity to optimize queries as well. 

They didn't use to be able to integrate with Cisco. However, this has changed now. 

Some minor features could be added. However, I need to do more research. 

The user experience could be improved. It could be more intuitive.

There should be a way to do bulk visualization reporting. 

I've been using Splunk for 7 years. 

We haven't had any downtime. The only issues come up is if there is an extension of limits. If you extend beyond your license, you may get downtime. 

The solution is scalable. It's easy to manage. 

We have contacted technical support for troubleshooting. No solution or machine is perfect. We had an issue where a new hire misconfigured some servers and they were able to offer us support. They are helpful, however, they do need to be faster in response. They do provide a to of documentation that can be helpful. 

Neutral

I'm also familiar with CloudWorks. However, Enterprise Security has more features and can provide more insights. 

I'm familiar with Dynatrace.

Splunk was already in place when I arrived. I simply tried to implement different strategies in multiple environments. 

Splunk is pay-as-you-go. The pricing depends on your use case. You only really pay for the amount of data you are dealing with. 

I'm a Splunk customer. 

People shouldn't necessarily look for the cheapest pricing. You need to look at what will optimize costs and the time it takes to secure the data. The most important thing, before cost, is being able to successfully secure your data. You should choose your solution based on your use case as well. 

I'd rate the solution 8 out of 10. 

We use Splunk Enterprise Security as the main SIEM system for our operation center. We use it for monitoring detection, and alert management.

We implemented Splunk Enterprise Security to help detect attacks on our network.

Splunk Enterprise Security is highly flexible, allowing us to create whatever we desire. This exemplifies its inherent power. The visibility it offers is notably robust. We can craft it to our needs and even utilize various frameworks within Splunk, prepackaged for security purposes. We possess distinct applications hosting diverse dashboards, catering to numerous security products, including those from different vendors.

The effectiveness of Splunk Enterprise Security insider threat detection capabilities, aimed at identifying unfamiliar threats, relies on whether we establish alerts based on the rules we formulate. If we construct rules incorporating user behavior criteria, the system functions optimally. It appears that there is an Extended User and Entity Behavior Analytics add-on available, which requires a separate license in addition to the enterprise security license. This add-on utilizes machine learning and encompasses multiple developed use cases. While it has limitations, it effectively serves the specific use cases it is designed for.

The threat intelligence framework within Splunk is also highly potent. We can ingest, link, and integrate external data feeds. Concerning IOCs, there are numerous pre-configured alerts within the system that rely on a feed of undesirable IPs. If one of these IPs triggers any of the alerts, such as those generated by our firewall's traffic logs, and the IP matches the bad IPs in the threat intelligence feed, the system correlates this information. If the flagged IP is detected within our network or appears in our firewall logs, an automatic alert is generated. We simply need to ingest the external feed. Subsequently, if the system identifies the IP anywhere, we will receive corresponding alerts.

I appreciate the new MITRE ATT&CK feature. I believe it's a valuable addition and reasonably priced. It seems the feature has been largely developed through marketing efforts, utilizing the capabilities of Splunk to display the MITRE ATT&CK map and the associated rules. This is important since MITRE ATT&CK encompasses over a hundred techniques. It presents the information to us based on the MITRE ATT&CK framework to illustrate ongoing activities. However, achieving a comprehensive understanding of each technique within the MITRE ATT&CK framework requires significant effort and adjustments.

Splunk Enterprise Security has enhanced our organization by offering increased visibility. If any adverse incidents occur, we are promptly informed. Even without configuring the custom rules, Splunk provides effective out-of-the-box rules that help prevent attacks. Consequently, it effectively halts these attacks. In fact, we have been able to detect and thwart potential attacks in their initial stages. This exemplifies the benefits it provides us.

Splunk Enterprise Security has helped to speed up our security investigations. We are now able to complete our investigations within three or four days. 

The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

I have been using Splunk Enterprise Security for four years.

I would rate Splunk Enterprise Security's stability a seven out of ten. This is because the system lacks built-in protection against certain issues. It alerts us when there are problems in the system, which we then need to address. However, these issues are not always easily fixable, setting it apart from other systems. For instance, sometimes the system slows down while we're working. This can occur when a new alert is implemented, leading to high resource usage and system instability. We are then required to identify and rectify the specific cause of this problem. This might involve disabling or adjusting the alert to ensure it doesn't negatively impact the system's performance.

Splunk Enterprise Security's ability to scale is good. I rate the scalability an eight out of ten.

The technical support is good.

Positive

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

I participated in the planning and implementation of Splunk Enterprise Security, as well as the creation of all rulesets and alerts. I am also configuring it to align with our technical framework.

Individuals who market Splunk Enterprise Security often claim that it can be deployed within half a day, which is quite amusing. While it is conceivable to perform the installation in that timeframe, the real complexity arises when we must establish connections with numerous systems. This involves accessing each system external to our main setup, configuring it, and directing the system to send its logs to Splunk. On the Splunk side, we encounter the need to create parsing mechanisms that allow proper data reading. This entails installing applications capable of correctly parsing the data, and addressing issues where parsing is inadequate. We then proceed to work with the data. Although Splunk provides some pre-configured rules, we also need to develop our own rules to identify specific events and potential attacks. The process of rule creation demands a substantial investment in writing rule sets. Additionally, integrating a threat intelligence framework becomes essential. We aspire to leverage the micro-framework we have established. Splunk Enterprise Security undeniably possesses considerable capabilities. Nevertheless, it necessitates continuous effort to unlock its full potential and achieve ongoing enhancements.

The solution's complete implementation may require up to one year. Throughout most of the deployment, we had a team of two members, occasionally expanding to three.

For the implementation, we used two integrators and Splunk Professional Services.

Considering the fact that Splunk Enterprise Security aids in thwarting attackers from gaining access to our environment, I would correlate this with a return on investment.

Splunk Enterprise Security's pricing is high. Larger companies may afford it, but I believe that in the current market situation, where everyone is facing challenges, financial resources are tight. Even stock market tech companies are embracing cost-saving measures. Expenses are now more constrained compared to a few years ago when companies had greater spending capacity. Companies are reluctant to make hefty payments. While Splunk is cheaper than Microsoft Sentinel, QRadar is priced at half the cost of Splunk.

Splunk Enterprise Security's licensing is typically determined by the data throughput we handle. Additionally, they offer an alternative pricing model which involves payment based on CPU usage. This newer model was introduced as a response to Elastic Security. However, Splunk enforces licensing in either scenario. 

I rate Splunk Enterprise Security a nine out of ten.

We do not monitor the cloud environments with Splunk. While we have several cloud environments, we avoid using Splunk for this purpose due to its high cost. To utilize Splunk, it would be necessary to place the Splunk engine in the cloud and gather all the logs from various cloud sources, resulting in substantial expenses due to the large volume of logs. As a result, our primary usage of Splunk is on-premise. Instead, we employ different systems to monitor the cloud, generating alerts through various security mechanisms. These alerts are then processed in Splunk, reducing both data traffic and costs.

Splunk Enterprise Security's capabilities to analyze malicious activities and detect breaches are similar to those of other systems. Its effectiveness depends on the rules we develop within it. To truly maximize its value and tailor it to the organization's needs, a significant amount of additional work and utilization of professional services are required.

The reduction of the alert volume presents a challenge due to the X number of personnel in the security alert center. They can effectively handle only Y alerts per day without experiencing fatigue. When the volume surpasses this limit, they tend to merely open and close alerts without thorough investigation. It's as if they've become weary of the process. Therefore, we must determine the optimal number of alerts per day and adjust the rules accordingly. The primary objective is to achieve a statistically reasonable number of alerts per day. This number should be somewhat higher than the current rate, but not three times greater, as exceeding this threshold would render their efforts ineffective. Conversely, if the number of alerts is too high, the personnel's capacity to take action is undermined, resulting in a lack of meaningful outcomes. Striking a balanced middle ground is imperative. This approach enables us to effectively identify and address crucial matters while ensuring our personnel can thoroughly investigate each alert.

Depending on the goals an organization aims to achieve, if their sole focus is on finding the most economical solution and they do not prioritize comprehensiveness, then QRadar would suffice. However, if they seek instant access to answers, I would recommend Splunk Enterprise Security.

Splunk Enterprise Security is deployed across our entire network.

Maintenance is necessary for the system, and updates are needed periodically. Whenever we acquire a new system, we must connect it to Splunk.

Resilience constitutes a crucial component of Splunk Enterprise Security, contributing significantly to the safeguarding of our system.

I recommend Splunk Enterprise Security for organizations that have the budget, time, and skill to properly utilize the solution. I do recommend paying for Splunk Professional Services.

I use the solution in my company to deal with certain migrations from a legacy SIEM solution to a new product like Splunk Enterprise Security or from on-prem to cloud migrations. Another use case involves implementing a new SIEM solution like Splunk Enterprise Security from scratch.

The most valuable features are its ability to transact in the cloud and its ability to onboard data easily with minimal connectors. Some of the new players in the market need to build new connectors to bring data into the SIEM solution. With Splunk Enterprise Security, you get built-in connectors, as it is a major platform.

The product's price may be an area of concern where improvements are required.

The metrics that I or my company's clients see in terms of the improvements from the use of Splunk stem from the fact that some of the metrics that the tool provides for senior leadership, specifically in the area of visibility when it comes to organizational split, considering that there are multiple lines of business. It would be a good feature in the tool if it could provide dashboarding for different lines of business in the product's next release.

One of the key areas where Splunk Enterprise Security can do better is if it integrates with AI solutions.

I have been using Splunk Enterprise Security for five years.

Our company's clients who use the solution like the fact that they can rely on Splunk Enterprise Security as a product, especially since it is not a new entrant in the market. Though the tool has moved from on-prem to the cloud, I feel that the fundamentals of Splunk Enterprise Security are strong. The support structure available for Splunk is good.

Scalability is of paramount importance to a lot of clients. Some of the clients value the scalability feature of the product, and they are also willing to pay more to use such features. There are some pharmaceutical clients my company deals with who like the scalability feature but do not like the increase in the price attached to the scalability part.

To be very fair, I have not been directly exposed to Splunk's support team since I deal with our company's clients. I have not heard any major complaint from our company's client regarding Splunk's support team, so I assume that it is pretty good.

Deployment of the product is easier than migration. It is always better to write on a clean board than write on a board where someone has already written something. If you migrate from one solution to another, you also have to migrate some of the use cases, and you need to fine-tune them. If you are deploying a product from scratch, it is easier. My company also recently dealt with one of the clients, and we had to onboard 28 log sources in ten weeks with no issues. We also had to deal with heavy forwarders, syslog, universal forwarders, and everything under the sun, which was a big mix, making it a difficult environment. There were no issues during the onboarding process. In general, I am happy with the product.

ROI depends on a lot of calculations, so my company does not consider it. Most of the complaints from our clients are related to the cost of the product. Our company's clients are happy with the features and reliability of the product. Cost is one of the major factors that companies are migrating from Splunk Enterprise Security to some other solution. I don't know if it is relevant or not, but I feel that the acquisition of Splunk by Cisco has spooked a few of the clients since they are unsure if they will receive any support if they don't have a Cisco-based infrastructure and instead have some other company like HP supporting their infrastructure.

Splunk is really expensive compared to all the other tools on the market, including Microsoft Sentinel. Some of the clients prefer to go for a data lake kind of solution because of Splunk Enterprise Security's prices. Some of the clients have also mentioned that the pricing of Splunk Enterprise Security is not visible for them and it is based on storage because of which they are not able to control various aspects associated with the pricing part.

In cases where I see the replacement of existing SIEM solutions from my company's customers' end, I have dealt with scenarios where Microsoft Sentinel replaces Splunk Enterprise Security. I have also dealt with implementations associated with Splunk Enterprise Security from scratch. I have managed migrations of Splunk Enterprise Security from on-prem to the cloud.

The primary reason customers are moving to a cloud-based solution is that products like QRadar and LogRhythm did not initially offer cloud versions. The other reasons why customers are moving to cloud-based solutions are the difficulty of configuring their use cases and the problem of finding the right resources to support them. With Splunk and Microsoft Sentinel, resources will be much more available to users in the market, but for LogRhythm, the market is going down. Training opportunities, the building of accelerators, available information in the outside world, and a lot of reasons have prompted customers to move to cloud-based products.

I would say that it is easy to configure the use cases, and also to correlate use cases, which in turn helps reduce alert volume. More importantly the product can provide good visibility in the area of dashboarding, metrics and security events.

Splunk Enterprise Security helps me find any security event across multi-cloud, on-premises, or hybrid environments.

Visibility across multiple environments or varied environments is absolutely important to our company's clients, and it is one of the key areas because most clients do not want to go and see multiple tools like CrowdStrike for endpoint protection. Our company's clients want to be able to see one dashboard with all the feeds coming in, along with all the alerts correlated to it.

The product provides relevant context to guide our company in the investigation. When you have more context, L1 or L2 support finds it easier to investigate. I don't know if Splunk already has an AI-based plugin tool or not. If AI is present in the product, it would help L1 and L2 support resolving tickets in a much faster manner, and it is also an area where context helps.

I have seen a reduction in the mean time to resolve from the use of Splunk Enterprise Security by around 30 to 40 percent if it is able to deal with contextualization. L1 and L2 support teams look at a particular incident, and if they end up spending more time adding the context or going through multiple tickets, it adds up the time needed to resolve an issue.

The product helps speed up security investigations by around 30 to 40 percent. Collecting the context is the key step for resolving or investigating purposes.

It is not fair to state why a certain rating is being given to a product since a person rates a solution on certain aspects, and it could be in terms of the migration part. If I speak in terms of the performance and support parts of the solution, I would rate the product a nine. If I consider the cost of implementing and maintaining the product, I would rate other products much better than Splunk Enterprise Security. As a company, we have implemented Splunk Enterprise Security multiple times, and we see the business associated with the product growing higher. My company also provides training to people in relation to Splunk Enterprise Security. My company hopes to do more business with Splunk Enterprise Security. My company has 3,00,000 employees.

I rate the overall tool an eight out of ten.

We use the solution for detection, basic building searches, and creating many dashboards for investigation purposes. We have also been using it recently to create some RBA detection rules.

The solution's newly developed dashboard is pretty amazing. The full platform is quite useful, and there are a lot of tools that we can use to leverage and modify for our own purposes. Clients don't necessarily know about it, but the tool is powerful because it saves so much time.

The solution has so many features that it's easy to get lost. Many of my clients want to get better at Splunk, but they're afraid of using the tool because they feel it's too complex for them. They also need to go through a certification to use the tool.

I have been using Splunk Enterprise Security for five to six years.

The solution's stability is a lot better on the cloud than on-premises.

The solution’s technical support is good. Sometimes, the technical support team's response time depends on the severity of the alerts. Sometimes, we don't get the right person on the call.

Positive

I use solutions like ArcSight, Exabeam, and Sentinel for different clients.

The solution’s initial setup is easy and not that difficult.

Our clients have seen a return on investment with the solution.

Splunk Enterprise Security is an expensive solution.

It is extremely important to our organization that the solution provides end-to-end visibility into our environment. Usually, a lot of companies don't have full visibility on their endpoints or servers.

Splunk Enterprise Security is a really good tool for helping us find any security event across multi-cloud, on-premises, or hybrid environments, like finding a needle in the haystack.

The solution has improved our organization’s ability to ingest and normalize data. Splunk Enterprise Security has also helped us identify and solve problems in real-time.

When processed correctly, the solution provides us with the relevant context to help guide our investigations.

If everything works correctly, Splunk Enterprise Security helps speed up our security investigations by 50%.

The solution has helped reduce our mean time to resolve by 20%.

When something breaks with the solution, troubleshooting and figuring out the problem is hard. The solution runs better on the cloud, with fewer problems and errors, than on-premises. We may not have the right hardware on-premises.

Splunk Enterprise Security is a great app that has been really innovative in the past. I would recommend the solution to other users. There's a cost to it, like anything that is of quality. However, if you want the best, Splunk is at the top right now. The solution is deployed on AWS and Microsoft Azure clouds.

Overall, I rate Splunk Enterprise Security a nine out of ten.

The solution is used in my company to help the security operation center in work areas like detection, response, and investigation while maintaining cybersecurity standards.

My company has benefited from using Splunk Enterprise Security, which has helped us stay out of the headlines in newspapers. The tool helps detect threats early and respond to them effectively.

The solution's most valuable feature is that it helps with our use cases to detect anomalies in our data and it is important to my company since we have a lot of data on different logs on the systems. We need to be able to create insights that are indicative of malicious activities, which is one of the main purposes of having Splunk Enterprise Security in our company.

The product lacks cross-cutting capabilities. The features in Splunk Enterprise Security that were initially promised to our company are still not available. My company has been asking Splunk for some of these features to be provided in the product for years, and we have been promised that they will be introduced soon in the solution and be part of the product's next release.

I believe that the contract and the terms and conditions mentioned in it are areas where improvements are required.

I have experience with Splunk Enterprise Security.

When it comes to the on-premises version, the stability of the product was quite reliable. When my company moved to the product's cloud version, we faced some major issues related to availability and dealing with events like data corruption.

The product's scalability is okay. I do not think my company faced issues in the area of scalability.

The product's support services were not great initially, but now they are in really good shape. Whenever my company connects with the product's support team, they listen to our questions and queries, so I feel that we are in a much better place now. I rate the technical support as eight out of ten.

Positive

My company has experience with ArcSight. We switched to Splunk Enterprise Security because we couldn't get good answers to our questions from ArcSight, and it was just not functional.

The solution is deployed using the cloud services offered by Splunk. Recently, my company also deployed the tool on an on-premises model. In our company, we monitor both, cloud and on-premises, with our cloud instance.

In the beginning phase, I would describe the deployment experience as a costly and hard process. The migration process from on-premises to cloud was hard and took our company a year to complete. There were different kinds of roadblocks on our company's and Splunk's end. My company worked directly with the migration process associated with the product.

It is difficult to say whether I have seen an ROI since it is like trying to figure out how much an insurance policy works. I think that our company will receive a return on investment from the use of the solution since it helps the organization's cybersecurity team stay out of the newspapers. My company has always been able to deal with threats quickly with the product.

Regarding the product's pricing, I think it has always been difficult to have a conversation with Splunk. Considering the contract thing and the whole legal area, it takes forever to get the contracts signed and to be able to agree to the terms and conditions for my company as well as for Splunk's team. I like the direction Splunk stays in by thinking with the customers about how to reduce costs and only have that data searchable or available, which you need at a particular time. I like the path Splunk is going on, specifically its current trajectory. I appreciate the efforts put in by Splunk in the area partnership, which is what my company expects.

My company uses Microsoft Sentinel. A multi-SIEM environment provides my company with the best of both worlds. Sentinel has some good features, like Microsoft Graph Security, that the tool uses for the whole Microsoft ecosystem. Microsoft Sentinel is a good option for my organization.

In my company, Splunk acts as a product that complements Sentinel because the former lacks some features. I think Microsoft is strong in the area of service delivery. Microsoft's EDR tools, like Microsoft Defender, use Servers from Microsoft Graph Security, and my company benefits from such a type of integration, and we are able to send alerts to Splunk. In our company, if we start to ingest all the data we usually ingest in Splunk by moving to Sentinel, it will become too expensive, so we have to choose where to keep our data.

My company has been able to reduce the mean time to resolve with Splunk Enterprise Security as it went down from a couple of days to hours.

My company has seen a significant reduction in alert volume. It was very noisy earlier, but lately, my company hardly sees any false positives.

It is super important that the solution provides end-to-end visibility of our company's environment because you can never know from where threats can materialize. The fact that users can correlate and ingest data makes sense and is crucial, considering the massive amounts of data.

Splunk Enterprise Security has helped improve our company's ability to ingest and normalize data, which is one of the tool's key benefits.

I would not say that Splunk Enterprise Security has helped solve problems in real-time scenarios, but it has helped solve problems on a near real-time basis. In my company, there is always some lag between the data that comes in and the ones being ingested and correlated. Splunk Enterprise Security aids in solving problems in a matter of minutes.

Splunk Enterprise Security provides relevant context to help guide our company's investigations, and it is very important and can be considered everything for our organization. In our company, we pull in data from assets and registries to give index-based alerts and be able to find owners quickly to notify them and respond to threats.

Splunk Enterprise Security's ability to help our company find any security events across environments is excellent. My company is really happy with Splunk Enterprise Security. The product helps our company find bad stuff when needed.

The truth is that it is very hard to deliver solutions that work at a certain scale. I think that one of the things I could say is that it is a solution that scales up at work. There are many organizations where solutions fail, and I can say that since I have been a part of the deployment of many other tools, it is hard to get many products to work. Splunk Enterprise Security works, and our company's analysts rely on it and trust it. I can only see improvements considering the strategies in terms of where the product's management team is going, and I believe that I will be able to rate the tool a nine out of ten pretty soon.

I rate the overall solution an eight out of ten.

We typically suggest Splunk IT builds for customers with significant EPS requirements and large-scale data environments. While other solutions like Foundry and IBM QRadar may be popular, they often have limitations in handling big data effectively.

It offers visibility across various environments, encompassing diverse infrastructures such as multiple firewalls. Some environments are entirely cloud-based, while others follow a hybrid model with services both on-premises and in the cloud. The infrastructure setup varies depending on the organization's specific model and needs.

We are highly satisfied with the level of visibility provided by Splunk.

It offers advanced threat detection capabilities to assist organizations in uncovering unknown threats and anomalous user behaviors. Splunk is utilized for integrating various devices including firewalls and other security controls, enabling coordination of logs and the creation of use cases. Analysts investigate alerts generated by these use cases, identifying and mitigating potential threats. Additionally, Splunk provides built-in and customizable use cases to enhance security measures.

We utilize the threat intelligence management feature in Splunk, which includes the provision of IOCs. Additionally, we have third-party intelligence services integrated into Splunk, which alert us whenever any related feature is triggered.

The effectiveness of the actionable intelligence offered by the threat intelligence management feature hinges on the third-party engines integrated or enabled within it. While false positives are common and require investigation, there are instances where identified IOCs are indeed malicious. In such cases, actions like reporting or following a predefined playbook can be taken.

We leverage the Splunk Mission Control feature, and I have hands-on experience with it. Typically, I manage it through Splunk, where I create rules, reports, and dashboards. Enabling third-party intelligence and other features involves a thorough review process, particularly when onboarding new clients. Once set up, we regularly review our baseline configuration and make adjustments as needed to ensure optimal performance. The Splunk Mission Control feature aids our organization in centralizing our threat intelligence and ticketing system data management. We integrate third-party intelligence services along with our company's proprietary advisories, particularly in the retail sector. This integration enables us to maintain a comprehensive reference set within Splunk.

We utilize the Threat Topology and Mitre ATT&CK Framework features to enhance our understanding of threats. These features offer micro-mapping visibility, allowing us to align identified needs with specific techniques.

The purpose of the Mitre ATT&CK Framework is to aid in discovering and understanding the full scope of an incident. Using the micro-hypotheses, we assess whether our subcontractors are adequately covered. We evaluate our rules to determine whether we have sufficient use cases for tactics and techniques, such as initial access. This process helps us identify any gaps in coverage within the Mitre ATT&CK Framework and address them accordingly.

Splunk is a valuable service for analyzing malicious activities and detecting breaches. However, I recommend ensuring comprehensive coverage of threats by integrating all relevant devices and maximizing visibility into logs. For instance, leveraging firewall logs enables the detection of anomalies at the network level, while logs from EDR solutions can identify malicious activities on endpoints.

Splunk has significantly improved our threat detection speed. Comparatively, when working with other teams, I've found Splunk to be more efficient due to its big data capabilities, allowing for faster analysis compared to IBM QRadar and similar tools.

The primary benefits our customers experience from utilizing Splunk in their organization are significant. While Splunk may be more costly compared to other machine solutions, its effectiveness shines in handling large volumes of data, making it ideal for organizations with extensive data needs. Unlike solutions like IBM QRadar, which may struggle with processing large amounts of data efficiently, Splunk's big data capabilities enable it to excel in such scenarios.

Splunk Enterprise has effectively decreased our alert volume across various use cases. Whenever we develop a new use case, we carefully analyze it, occasionally encountering false positives. In such instances, we collaborate with IT to whitelist these cases. Over time, as we accumulate a robust whitelist, the ratio of false positives diminishes, resulting in a higher rate of true positive alerts.

It has significantly accelerated our security investigations, proving to be immensely helpful. We can efficiently track and analyze user activities with most devices integrated into the Splunk environment. The visibility provided by Splunk allows us to coordinate activities seamlessly and thoroughly investigate any detected incidents. Whether it's identifying the origin of an activity or uncovering correlations between events, Splunk enables us to piece together the entire user activity chain swiftly and effectively.

Compared to other SIEM products, I've found that Splunk offers quicker alert resolution times. Its ability to efficiently handle large data volumes contributes to this advantage. Analysts typically have predefined playbooks and investigation checklists for when alerts are triggered, which Splunk supports well. Additionally, we've customized dashboards and reports to further streamline our detection process, ultimately reducing our response time.

For those seeking cost-effective solutions, Elastic Stack stands out as a popular choice due to its single-source administration and competitive pricing. Many industries, recognizing its affordability and robust services, are swiftly adopting Elastic and other similar solutions like Wazuh.

The value of resilience in a SIEM solution varies depending on the organization's preferences and requirements. Some organizations prioritize high availability and disaster recovery capabilities, which contribute to resilience.

As an analyst, I've observed that Splunk offers a variety of rule sets, along with built-in and customizable use cases. We have the flexibility to create dashboards and expand reports for management visibility. One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities. With Splunk, we can seamlessly integrate and coordinate data from various sources, enhancing our analytical capabilities.

I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

I have been working with it for two years.

It provides good stability capabilities.

The scalability of Splunk, particularly when implemented as an enterprise solution, is notable. While we work with a limited number of clients, typically five to six, they are spread across various locations, including the US and Pakistan. From a maintenance perspective, our operations are based in Pakistan. Our clientele predominantly consists of customers from Gulf countries, and we also extend our services to clients in the US.

There have been instances where the response time from Splunk's support team has been slower in comparison to others. I find IBM QRadar and similar solutions to have more efficient support teams. I would rate it five out of ten.

Neutral

Our deployment team handles both deployment and support services, including maintenance responsibilities.

It offers a return on investment for our company.

Overall, I would rate it eight out of ten.

We mostly use the solution for compliance, logging, log storage, and root cause analysis. In 2015, we had AIG as a client, and they only had Splunk. Splunk Enterprise Security is one of the oldest solutions that did the logging and storage.

Splunk has fantastic brand value, which helps us sell it as resellers. The solution's pricing is quite competitive. The solution meets all the requirements. As a compliance person, I know that log storage is very important for data privacy compliance guidelines like ISO or CCPA. Splunk provides all of those compliances and checkmarks.

I like that the tool is light and the agent doesn't slow down the machine. Splunk Enterprise Security is a standard solution providing good customer service and partnership.

The solution should improve regional knowledge of the new regulations coming out of the Middle East. As a consulting firm, we are currently targeting many Middle Eastern markets, including Saudi Arabia and Dubai. They don't have a local server support cloud center there, which is a big issue because they don't want their data to go out of the region. Splunk should have more regional data centers in the Middle East.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security provides good stability.

The solution's scalability is fantastic. Even 10,000 to 50,000 endpoints don't slow anything down. The servers, log storage, and ingestion work smoothly, irrespective of whether there are 5,000 or 50,000 endpoints.

The solution’s technical support is very good.

Our customers using Splunk Enterprise Security don't have any compliance issues, and they don't get fined by the regulators, which saves them money.

Splunk Enterprise Security's pricing is pretty competitive.

I'm a consultant who uses Splunk for other clients. It's important for the clients that it can communicate with all kinds of devices, like firewalls, WAFs, servers, endpoints, switches, and routers. All of that is figured out over time, which is useful.

Splunk Enterprise Security is a good tool for finding security events across multi-cloud, on-premises, or hybrid environments.

Splunk has helped improve our organization's ability to ingest and normalize data. It can also identify and solve P1 or high-critical-priority problems in real-time.

Splunk Enterprise Security has helped us reduce our alert volume by around 50%.

The solution provides us with the relevant context to help guide our investigations, and this context information has impacted our investigation process. Having all the data in a single place does help with post-incident response and forensic root cause analysis.

Splunk Enterprise Security has significantly helped speed up our security investigations. I save 60% to 70% of my time because it's easier to find what I want to find through the tool's user interface.

Splunk Enterprise Security has helped reduce our mean time to resolve by around 50%.

Overall, I rate the solution ten out of ten.