What is our primary use case?
The solution is primarily used to monitor the operating system for threats, specifically related to login threats. If someone trying to log-in, or somebody trying to break into the system, the idea is it will check that and catch things. It's mainly for external threats to the operating system.
How has it helped my organization?
The solution has improved our organization by providing a comprehensive picture of any external threats to the operating system. It improves asset control.
What is most valuable?
The logs on the solution are excellent. Mostly I see just the reports or the outcome, however, with the log portion, where you could actually take log entries and pass them through the system in order to create events or conditions, and get reports. You can set up your conditions to the logs that you invested into Splunk, and get the reports or the output that you want.
What needs improvement?
We're still going through it at this time. However, there are a few changes that could be made.
It could be more user friendly, in terms of the end-user experience. The end-user aspect of it could be more enhanced, whereby you could probably have a lot more people that could sign into the tool and look at the reports, and have the reports actually laid out in plain English. Usually, with tools like Audit Vault and Splunk, if you're not the IT person and you're not trained on that system and you're seeing all of the outputs, the language is something you have to convert.
Therefore, the end-user experience could be improved so that when you get those alerts and notifications, you could have supervisors and different people actually knowing what those reports mean instead of having someone convert them into something more easily digestible.
There should be more enhancements done to the end-user dashboards. Improved dashboards are always good. If you have an IT tech that's up there, and they're looking at the dashboards and they're seeing everything, it would help they could do events and have a dashboard that they could log into as a supervisor and see everything, and just get specific reports for specific areas.
For how long have I used the solution?
We've been using the solution for three years.
What do I think about the stability of the solution?
I can't really speak to the solution's stability beyond how I use it, which is for training. However, I've never experienced bugs or glitches on it and therefore believe it to be very reliable.
What do I think about the scalability of the solution?
The solution seems to be very adaptable, and if not, we'll figure it out what to do in the next couple of years when the program has developed more, and the general capabilities become apparent.
It is a log parsing tool, so if you take any type of log, operational or financial or security logs, and you put it in there, hopefully, we will find out that a log is a log, and you just create your events and you get the output that you want. Therefore, I don't foresee an issue with scalability per se.
How are customer service and technical support?
The technical support is pretty good. I would rate it at a seven out of ten. We're mostly happy with the level of service we receive from them.
What they probably need to do is help make the reports more manageable for the end-user or to help the end-user understand them more easily.
Which solution did I use previously and why did I switch?
We didn't previously use a different solution. We've only ever really used Splunk.
How was the initial setup?
The initial setup was not complex. It was pretty straightforward. It was already loaded on the environment. It's managed by a third party or service provider, therefore we just kind-of fell into the rhythm of using it pretty quickly.
What other advice do I have?
We're just a customer. We don't have a business relationship with Splunk.
We're using the latest version of the solution.
I'd advise those considering the solution to do some basic training before jumping into using the solution. It will help you understand how everything is supposed to work.
I'd rate the solution at an eight out of ten, due to the fact that it's more flexible than other solutions. I like the idea of taking a log, any log, and putting it into a tool and creating your events and your conditions in order to get the output that you're looking for. It's more scalable and flexible than other options on the market.
Which deployment model are you using for this solution?