Splunk Enterprise Security Reviews

We use Splunk for log analytics, blocking dangerous files, etc. It helps to shape our security policies. Splunk is managed by our service provider, but we regularly get security insights from them.

I like the search feature and the indexing. It's very fast and comprehensive. It's easily tuned by your service provider, so I can quickly find the results I'm seeking. So it's very practical. We are working with the search feature and using multiple indexes that combine devices from different environments, so it's easy to collect information across environments. 

We can relatively quickly detect some malicious activities based on attack patterns and implement use cases configured by our service provider with help from Splunk. It improves the speed of threat mitigation because you can gather information about the attack patterns from a few days of online activity to block threats and take the necessary actions. 

We implemented Splunk at the end of 2020, so it's been around three years. 

Splunk Enterprise Security is scalable.

We have not been in direct contact with Splunk except for a workshop where I met a few of them. My impression was that they were skilled, experienced experts. They seemed helpful, so I had a good impression.

The service provider deployed Splunk, so I wasn't involved. I had heard that they experienced some difficulties setting it up, but I don't think it was harder to install than other solutions.

Splunk is very expensive. The license is based on the volume of the logs ingested. I was responsible for managing the contract with our service integrator. I don't know the precise details of the competing solution, but I have heard that Splunk is more expensive than others. I don't know what the going rate is on the market, but I think there are at least two competitors that are less expensive. We have experienced a few issues with our service providers in terms of log filtering and ingestion, so we continue to pay a bit more per day for our logs.

I rate Splunk Enterprise Security eight out of 10. 

The visibility that it provides is awesome. You can connect it to whatever you want and create whatever visibility you want. 

Its insider threat detection capabilities for helping our organization find unknown threats and anomalous user behavior are great. They have a lot of built-in capabilities for analytics, and they can provide a lot of visualizations and insights into whatever is being brought into it. The threat intelligence that is part of the platform itself is awesome.

In terms of actionable intelligence, it depends on what you bring to the table. The platform itself gives you the capability to make threat intelligence actionable, but if your feed is not good, it is of no use. There is a lot of noise within the SIEM. This is not on Splunk. This is on the SIEM, but Splunk does help to eliminate a bit of the noise and create a more cohesive view of the intelligence you digest.

Splunk is very good for analyzing malicious activities and detecting breaches. Its ability to connect things that are manually hard to connect is awesome. It is a bit lacking when you compare it to Microsoft Sentinel because Microsoft Sentinel already brought the SOAR solution, which in the case of Splunk comes at an additional cost. When I used it, they did have it quite expensive, but as a SIEM, if you compare Splunk to other SIEMs, it provides you with a great ability to detect and understand that you have something that is suspicious and anomalous within your network. Its ability to connect us to that otherwise cannot be connected by humans is very good.

It helps to detect threats faster, but I do not have the metrics. When it comes to reducing the alert volume, it is not Splunk. It is more of the analyst's work on top of Splunk.

Splunk definitely helps speed up our security investigations. It has the ability to connect and bring information with the click of a button. 

I have used Threat Topology and MITRE ATT&CK framework. It was very good for management but not so much for analysts' day-to-day work. It is a cool feature that helps you bring money from management, but it is not something that an analyst will use on a day-to-day basis.

The ability to digest any information and then correlate it in accordance with what you need is valuable. The ability to connect to pretty much everything and bring the information in the same format is also valuable. On top of that, we can use their language in order to create and customize the dashboards, correlations, or analytics that we want to incorporate. They also have a lot of out-of-the-box correlation that we can use, which is awesome.

They can incorporate the SOAR solution within the actual product so that we do not require two different products, two different installations, and two different pricing methods. In regards to UBA, I am familiar with the UBA that existed two years ago. I am not updated about it today, but two years ago, UBA required such an amount of data that from a cost perspective, it was not worth it. When you compare it to what you get out of the box with Microsoft Sentinel without additional costs, there is no match. 

I have been working with it for the past five or six years. 

It is very stable. I did not have any crashes or malfunctions. It does have a bit of a stretching point when you are doing a very large query or you are retrieving a lot of data. For example, when you are retrieving months of logs in order to conduct an investigation. However, that is at the edge of the product. On a day-to-day basis, it is very stable. It does everything that you need to do. We did not have any crashes in either of our implementations. We did not have anything major.

In the on-prem environment, it is scalable, but it requires work because you need to install indexes and forwarders. It requires more work from someone who is specialized in that domain, but in the cloud environment, it is super easy. It is very scalable. You can just grow as you need.

Their support is awesome. I would rate them a ten out of ten. It is not just the technical support. Their documentation is also good. The whole support system is awesome.

Positive

I used it in my last organization. In my current organization, we have adopted Microsoft Sentinel. I am creating a new managed service company, so it is going to provide service to multiple clients. We have multi-tenancy and full cloud environments and monitoring of on-prem solutions. When I implemented Splunk, it was not used for multi-tenancy. Their multi-tenancy was not that great. It was the old solution, but they now have the cloud environment that is more supportive of multi-tenancy, but with their on-prem solution, for multi-tenancy, we could just play with permissions. It was not the best. It was not proper multi-tenancy where you need different databases and different control planes. It was not the ideal solution, but now they have the cloud environment.

The experience that I had a few years ago was for on-prem, but now, I do have an implementation that is cloud-based. We are implementing it cloud-based for one of our customers. It is deployed on AWS.

The initial deployment is very fast. It is very quick. The on-prem can take a few days, and it is up and running. If it is on the cloud, it is already installed. You only need to connect all the source logs. The duration depends on the number of source logs. It differs. I had a project where I connected all my source logs in one week, and I had a project that took about four months, but the number of logs was different. The complexity was different. We had to create our own connectors and our own parsers.

The pricing is very complicated, and it is very pricey. You do require a lot of different licenses in order to get a comprehensive solution that is not just the SIEM solution.

To someone who is evaluating SIEM solutions but wants to go with the cheapest solution, I would recommend QRadar.

Overall, I would rate Splunk Enterprise Security an eight out of ten. There are several reasons for not rating it a nine or a ten because the pricing is very complicated, and it does require someone who is knowledgeable in the platform. You need someone who is specialized in that. Fortunately, I have these people, but when I tried to look for one in the beginning, it was not an easy job to find someone who was very skilled in this platform. Once you have such a person, it is awesome. You can do whatever you want. The sky is the limit. In fact, not even the sky is the limit. It does provide a very comprehensive solution. It does provide tons of flexibility. It is the platform that you should go for when you need something that is not ordinary or not your typical SIEM solution for a typical organization. It is the platform when you need something that will provide more. For example, one of the projects that I worked on was related to a SOC that needed to digest information from multiple organizations that already digest information, and we had to create cohesive use of that. In such a case, this is the platform to work with because it provides the flexibility that no one else provides.

Our customers utilize Splunk Enterprise Security for either their cybersecurity program or their data warehouse program.

Splunk Enterprise Security's threat detection capabilities are effective in assisting organizations to uncover unknown threats and identify anonymous user behavior. However, this effectiveness is dependent on using the UBA modules and having the proper infrastructure in place.

MITRE ATT&CK is the framework that we use to detect and track well-known threats. When there are well-known threats, we can utilize the MITRE ATT&CK to identify any anomalies.

Splunk Enterprise Security has its own routine and process defined for analyzing malicious activities and detecting breaches. Mainly, we baseline the client's business process and day-to-day activity and then use it to detect malicious activity through various scenarios.

Splunk Enterprise Security assists us in detecting threats more quickly. We have an abundance of unrelated and meaningless data from the raw logs, and the solution aids us in organizing and correlating this data so that we can extract meaningful events and take appropriate action. This is the primary objective for the majority of our clients. 

In most cases, we provide monitoring and intelligence to our customers based on how they use the solution. This allows other technical teams, such as PC, system support, and other tech units, to take appropriate actions. Our main role is to provide them with alerts and use case scenarios, while the detection and actions are primarily related to other aspects.

When we initially implement Splunk Enterprise Security, there are many alerts and false positives. However, with time, we are able to align our configuration with the client's requirements and do more baselining, reducing such issues.

Splunk Enterprise Security helps to expedite security investigations. Without a security solution, our security team is unable to identify threats because the log and auditing data are unrelated and uncategorized. Consequently, we cannot access them promptly. Therefore, having a solution like Splunk Enterprise Security is crucial for our cybersecurity program. For certain clients' needs, we prefer using open-source applications like ELK and ESK. However, if they opt for an enterprise and commercial product, Splunk is among the top three choices.

The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge.

The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex. Simplifying this process would assist security officers in assessing threats and using the system more efficiently.

I would appreciate it if Splunk could add the feature of importing and exporting from web servers and third-party devices during project and process development. This addition would greatly enhance the value of the solution making the maintenance for the security officer easier. 

I have been using Splunk Enterprise Security for six years.

I rate the stability of Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security can be easily scaled once it has been installed and deployed.

Cyber threat levels are increasing every day, especially during the pandemic when most employees needed remote access to their business services. As a result, many organizations experienced a surge in attacks and required a resilient SIEM and cybersecurity solution.

I have used ELK, ESK, QRadar, Graylog, and LogRhythm in the past. One of Splunk's strengths over its competitors is its dedicated DSS called SPL.

The drawback of Splunk Enterprise Security is that upon initial installation, we need to do a lot of customization in order to have an effective cybersecurity program and deliver quality service to the client.

The initial setup is straightforward, but we need to make some configurations afterward that can be a bit complex. The deployment time depends on the size, but it usually takes several months to ensure stability and requires two SIEM engineers.

Splunk Enterprise Security is hardly affordable for most of our clients, causing many of them to resort to using open source solutions instead.

In addition to the licensing fee, there is also a support and maintenance charge.

I would rate Splunk Enterprise Security an eight out of ten due to its high total cost of ownership, difficulties in maintenance, and the complexity of configuration immediately after deployment. 

Splunk Enterprise Security may not be cost-effective for small and even some medium-sized companies. While each organization has different requirements, we do recommend Splunk for medium and large organizations.

Organizations should take into account the complexity of their environment. For instance, if they have a purely vendor-based environment for their network security appliance, it may be easier for them to handle security, fabric, and architecture requirements. However, if they operate in a multi-vendor and mixed environment, they need to conduct more research on how to integrate various components. Often, they rush into negotiating their cybersecurity program without sufficient research, leading to potential problems for clients.

Splunk Enterprise Security provides more visibility into endpoints in our environment.

We only monitor AWS, but we also have SaaS services that are in our own clouds. So far, it is easy to monitor our cloud environment with this solution. As long as we ingest our data correctly and tune it, it will read it. It is very easy to use.

It provides end-to-end visibility into our cloud-native environment. This is critical for us because we are always one step away from a security incident, which could impact the company and cost a lot of money. That is our main point of focus.

It provides a risk score for each object, device, or user. We can then take action if they are at a higher risk.

The pricing can be better.

We have been evaluating Splunk Enterprise Security for the last eight months.

I cannot say anything about stability, but I am assuming it would be the same as Splunk. It is an app. It is going to work.

The technical support is above average, but they do not go into the details, so we have a contract with a third party to help us.

There might be more Splunk support tiers, but we are working with SP6. They will get their hands directly onto our Splunk environment, whereas Splunk support does not do that. Maybe there is a different tier that does that, but we do not have that. It is more of an email dialogue. They are not going to VPN into our environment. SP6 is more hands-on. I would rate SP6 a nine out of ten.

We did not use a similar solution. We have Carbon Black for endpoints, but this is going to be a lot bigger than that.

We are still evaluating it. We have not deployed it yet, but I was involved with the deployment of Splunk. 

It was very easy to set it up for evaluation. It is just an installer file. It is an add-on app for Splunk, and if you know how to install Splunk and add-ons, it is easy.

I am fine with the licensing, but in terms of the cost, it is expensive for the data that we have. We have an open discussion with our account rep about this.

We are not evaluating any solutions because we already have Splunk, and we do not want to leave Splunk. I like it, so it is just a matter of making the commitment.

The value that I get from attending Splunk Conferences is going to sessions and learning about what other people are doing and use cases that I have not really thought of. Also, I am able to talk directly to people about questions I have regarding our Splunk instances, and I can get some answers right away. It is very good to know what people are doing because sometimes we do something one way, but we do not know if we are doing it the right way. Here, we can get validation, or realize that we are doing it wrong and make the necessary changes. That is very valuable.

I would rate Splunk Enterprise Security a ten out of ten. Most customers at the conference have already implemented it, except for our company. It is a critical foundation app that allows you to explore other apps that Splunk is grading, and it works.

Our security relies on Splunk Enterprise Security to analyze data models for malware, threats, and MITRE ATT&CK techniques. Pre-built dashboards and multiple correlation searches help us identify anomalies. Any suspicious events flagged by the MITRE framework are categorized and assigned as tickets to our engineers for investigation and mitigation.

Splunk has streamlined our incident response by automating key processes. For instance, alerts trigger upon exceeding three failed login attempts, automatically assigning tickets for review. Similarly, unauthorized access attempts from unfamiliar regions are automatically blocked. These automated data-driven responses significantly improve our overall incident response efficiency.

The customizable dashboards offer great visualization and extra add-ons.

Splunk Enterprise Security helps us to easily monitor multiple cloud environments.

Mission Control lets us monitor and manage our security from a single panel.

Based on my short experience, I would rate Splunk Enterprise Security eight out of ten for its ability to analyze malicious activity.

Splunk Enterprise Security helps reduce our alert volume.

Splunk Enterprise Security streamlines our security investigations by providing a central platform and offering a growing library of add-ons that expand our investigative capabilities.

Splunk Enterprise Security stands out for its ability to integrate with existing security tools, provide informative dashboards, and offer IT Service Assurance functionality that goes beyond basic threat detection to include service performance monitoring.

Splunk Enterprise Security offers a vast amount of information to learn and comprehend, resulting in a challenging initial learning curve.

Extracting logs from Splunk for analysis in other applications is crucial for me. This would allow me to identify correlations between data sets and make informed decisions about next steps. Unfortunately, the current Splunk workflow seems to hinder data verification.

The licensing cost could be more competitive, as some of our competitors offer lower prices.

I have been using Splunk Enterprise Security for one year.

We have encountered issues when updating features where Splunk Enterprise Security doesn't work properly. I would rate the stability of Splunk Enterprise Security seven out of ten.

The technical support team is always supportive but their response time and knowledge can be improved.

Positive

The initial deployment was straightforward.

The license for Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security eight out of ten.

We have Splunk Enterprise Security deployed across multiple locations.

The resilience Splunk offers is good.

I recommend Splunk Enterprise Security to others.

We use Splunk Enterprise Security for security correlation and event management.

Splunk Enterprise Security is deployed as a hybrid model where the core component is on the cloud and is integrated with an on-premises solution.

Splunk Enterprise Security offers strong visibility through readily available use cases and supports integrations with most standard log sources. Its search capabilities are also commendable. Compared to other tools, Splunk Enterprise Security delivers superior visibility.

While we haven't integrated UEBA yet, it's in our plans. As a proactive monitoring solution, UEBA offers several benefits. It can identify Indicators of Compromise based on historical threat intelligence and generate alerts for suspicious activities. This allows us to potentially detect compromised accounts or ongoing attacks before they cause significant damage.

Splunk offers its threat intelligence service, which helps prevent IP replication and malicious threats. This information can be integrated or configured for our specific use cases, delivering more relevant and high-value insights.

Threat topology and MITRE ATT&CK are frameworks used to understand and analyze attack patterns and techniques, which can then be used to formulate and refine IOCs.

Splunk Enterprise Security's effectiveness in analyzing malicious activities or detecting breaches depends heavily on its configuration and correlation settings. Therefore, it's impossible to definitively label any tool as inherently good or bad. Ultimately, its success hinges on the organization's implementation. This includes onboarding the tool with the appropriate block sources for security detection, employing a sound risk assessment methodology, and aligning the tool's capabilities with both business and security use cases. When configured correctly, Splunk Enterprise Security can undoubtedly contribute to improvements in MTTD and MTDL.

Splunk Enterprise Security helps us detect threats faster. It allows us to define use cases, integrate with multiple threat feeds, and even connect to vulnerability solutions. In essence, by configuring all relevant log sources and defining appropriate use cases, we can achieve the primary objective of any SIEM solution: reducing mean time to protection.

Splunk Enterprise Security has reduced our investigative time by 25 percent by consolidating all logs into a central console. This eliminates the need to log into individual tools for log retrieval.

Splunk Enterprise Security helps reduce the number of false positive alerts.

In terms of monitoring capabilities, Splunk Enterprise Security performs adequately. However, its user interface requires training for efficient use. Compared to competitors like IBM QRadar, McAfee Nitro, and RSA Security Analytics, Splunk has a steeper learning curve, making it feel less user-friendly.

I have been using Splunk Enterprise Security for almost four months.

We use a licensed third-party Splunk partner for support, and I haven't heard of any issues so far.

Compared to IBM QRadar, Splunk Enterprise Security offers faster alert resolution. Its superior indexing and searching capabilities deliver quicker query results. While QRadar boasts a more user-friendly interface, Splunk provides numerous pre-built use cases that effectively reduce false positives and feature comprehensive application dashboards.

For instance, I encountered a use case unavailable in QRadar which appears to utilize the Cyber Kill Chain framework. MITRE ATT&CK enjoys wider adoption, and Splunk leverages this framework whereas QRadar persists with the Cyber Kill Chain. Additionally, Splunk integrates with a third-party app exchange, offering functionalities like vulnerability dashboards, threat intelligence, correlation dashboards, and EPS dashboards. This extensive library of applications caters to diverse business use cases. Users can install these applications as needed, making Splunk a highly customizable and feature-rich solution. Although undeniably expensive, its capabilities justify the cost.

While Splunk is a powerful enterprise tool, I'm new to it myself. I've heard Splunk is often preferred over other options, but the cost can be prohibitive for smaller organizations.

There are cheaper SIEMs available, but they require much more manual configuration, typically by developers with scripting knowledge. Splunk does not require this manual configuration, and its parsing, indexing, and visibility are superior.

Based on the limited time I have been using the solution and the feedback I have received from other users, I would rate Splunk Enterprise Security a six out of ten.

Without a SIEM solution, we rely on individual point solution consoles. For example, logging into a firewall reveals only local logs. Imagine the firewall detects suspicious IPs generating unusual traffic. Confirming this as a true or false positive is difficult solely based on firewall rules. Conversely, a SIEM offers multiple options for correlation. Say the firewall denies traffic, and threat intelligence identifies the source IP as malicious. Additionally, web server logs might show suspicious activity or bad actors attempting an attack. With multiple logs and threat indicators, the chance of false positives drops significantly. Correlation enables confirmation of genuine traffic versus malicious activity. Without a SIEM, pinpointing true attacks from false positives becomes challenging.

I have worked in a couple of areas of Splunk. Initially, I was part of a monitoring team that used it for security information. I used to monitor security alerts which we used to get on Splunk, which was based on the use cases and we set up specific rules for it. Currently, I am part of the administration of Splunk. Now I onboard different log sources to Splunk. We pass over the logs so that it can be used for the security team.

It helps with security and making sure our infrastructure is compliant. It also allows reporting to be in one centralized location. We can monitor the security logs effectively. It really helps as a cybersecurity element for the company infrastructure to protect us from attacks.

It is quite reliable in terms of data. We have a good amount of licenses currently and find it to be very flexible. It can handle and pull up any amount of data.

Splunk is very fast and user-friendly as well. The UI and design is user friendly. It is easy to understand. 

We can do a lot of things on Splunk. We can integrate a lot of other applications on Splunk. And that can be used for day-to-day security operations. It is easy to use, easy to implement, and it is fast. It is reliable.

Our organization monitors multiple cloud environments. We monitor all the infrastructure and cloud environments of clients.

It is easy to monitor multiple cloud environments with Splunk. You have to get clients onboarded to Splunk first, and then the monitoring part comes last. We have a couple of things that have to be done before the security team starts monitoring. For example, we install the agents and set up the hosting. We get the data from the host, we pass it. It is quite a lengthy process. It is easy, however, we have to do it very carefully and cautiously.

Splunk Enterprise Security provides visibility into different environments.

The solution's insider threat detection capabilities for helping our organization find unknown threats or anomalies in behavior are good. We have multiple security frameworks. For example, we have micro frameworks. There are different sets of rules. We set it. What Splunk does internally is just match the incoming logs. Based on the rules that we have set, it will match with the incoming logs. If it matches, then it will generate alerts for the security team. Based on that, we can identify if there is a potential threat trying to get into the company or internal infrastructure. 

The actionable intelligence provided in Splunk Enterprise Security is good. 

It will help us to automate things and can handle certain items on its own. It will just investigate, remediate, and close the necessary alert. If it is beyond Splunk's capability, then an investigation team will be involved in it. 

I have used the threat topology and attack framework feature, however, now I am more of an administrator.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. There are a couple of other tools as well, which do the same thing. However, with Splunk, it's very easy to work with the dashboard and do search queries. You can easily look through the logs via Splunk UI.

The solution helped reduce our alert volume. It will just minimize the false alerts, and just post positive alerts. It's likely reduced false alerts by 60%. A lot is automated now and that helps cut down on manual work.

The solution has helped to speed up our security investigations. Once again, the automation will speed up the process of investigation. It saves a lot of time for analysts as it allows them to see the initial data. If a team has multiple alerts, it will take them time to go through and check everything. However, Splunk does the initial investigation for analysts and will escalate to analysts as needed. It might have reduced security investigations by 80% compared to earlier versions. 

When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.

I've been using the solution for three years now. 

It is a stable product.

There are two types of users: the administrators and then the users where the logs are coming from. We have about ten to 15 administrators working directly with Splunk. Overall, there may be more than 1,000 end users we get logs from.

The solution is scalable. In terms of data, it's very flexible. 

Technical support is good.

Positive

I've used other solutions in the past. We previously used
ArcSight Enterprise Security Manager (ESM). It was older and very slow. Comparatively, Splunk is very fast and it has a better UI.

The initial setup was easy. It was not complex. I didn't do the implementation on my own. The deployment times vary. There are many moving parts, such as approvals that need to be taken into consideration. 

We get logs from various sources from various clients.

It does require a bit of maintenance. It requires, for example, server upgrades and patching. 

I can't comment on pricing. I don't take care of that aspect. 

I'm a customer and end-user.

I'd recommend the solution to others and invite them to test the service first on the infrastructure they have. It's a very valuable product to have.

I'd rate the solution nine out of ten.

We use the product to analyze security anomalies and research specific threats that we get on our network.

The solution has made us more secure. It has given us the ability to address threats faster, with greater accuracy.

The availability of the data and the fact that we're able to collect a large amount of data into the system and analyze it is valuable to us. The product’s speed and availability make it really useful for us. I'm excited about the additional enhancements to the machine learning toolkit. To be able to use it more is exciting to me.

My organization needs more people to learn how to use the solution effectively. It takes time to train people.

I have been using the solution for six years.

I have never seen any issues with the tool’s stability.

Considering how much we have in place, I would assume that the solution’s scalability is pretty strong.

I haven't had to go to Splunk directly for many things. Communicating with our success managers has been very positive.

Positive

We need to improve our implementation. We're a pretty large customer of Splunk, so I think we do have a lot of resources available. Splunk has really good courses and availability. We need to get more people to be more familiar with the tool. The solution has helped us reduce our mean time to resolve. It really works well for us, and it helps us to look at our data more effectively.

Splunk has helped improve our organization’s business resilience. It's not just used for security. We have big use for it. It has definitely helped us prevent problems from occurring and identify them when they do. Splunk’s ability to predict, identify, and solve problems in real time is very strong. It works as well as we use it. There's a lot of value within the tool. It can be very powerful if used properly and if people are knowledgeable about it.

Splunk has a strong ability to provide business resiliency by empowering staff. I've been using it for as long as I've been with this organization. Compared to other solutions, Splunk is really strong.

I have seen time to value using this solution. I love using it. It’s a great tool. I cannot compare Splunk to other tools because I've been using it for as long as I've been with my current organization. In my previous organization, we didn't have big data, so we really didn't need the product. I am a consumer of the solution from a security perspective.

Overall, I rate the solution an eight or a nine out of ten.