Splunk Enterprise Security Reviews

We use Splunk Enterprise Security to identify and resolve critical issues and errors within our environment.

The visibility that Splunk Enterprise Security provides is good. We can easily find the data we need using the logs.

Monitoring multiple cloud environments using Splunk Enterprise Security was not difficult.

Splunk Enterprise Security's insider threat detection capabilities enable us to effortlessly identify unknown threats and anonymous user behavior.

Splunk Enterprise Security helped us analyze malicious activities and detect breaches between 50 to 90 percent faster.

Splunk Enterprise Security has helped reduce alert volumes by up to 90 percent.

Splunk Enterprise Security has helped speed up our security investigation time by almost 90 percent.

The most valuable feature of Splunk Enterprise Security is the comprehensive logging capabilities it provides.

The price of Splunk Enterprise Security is high and can be improved.

Given the ever-increasing number of threats, I would like Splunk to update its threat signatures more frequently.

I have been using Splunk Enterprise Security for one and a half years.

Splunk Enterprise Security is stable.

Splunk Enterprise Security is scalable.

The resilience of Splunk allows organizations to protect their data and resolve vulnerabilities quickly.

The technical support provides good resolution.

Positive

I had previously used Loggly, developed by SolarWinds and Elastic. However, I found it to be inaccurate and slow. Elastic offers a free version of its solution, which is more commonly used by smaller businesses.

The implementation was completed by a third party.

Splunk Enterprise Security is expensive. I would rate the cost an eight out of ten with ten being the most expensive.

I recommend Splunk Enterprise Security over cheaper SIEM solutions because of its offerings.

I would rate Splunk Enterprise Security nine out of ten.

Splunk Enterprise Security does not require any maintenance. It is plug-and-play.

I recommend Splunk Enterprise Security for organizations that want to detect threats quickly.

We primarily use the solution for SOC purposes.

The solution has made it possible to check and detect our traffic a bit better.

The incident review is great for working inside of a SOC if we want to see everything and we want to configure notables and have all notable features, it's useful. We're moving to SOAR right now for configuration for our work center. As far as ES in our work center, just detecting our notables and monitoring all our traffic, is the most important feature as far as what our day-to-day is concerned. 

Splunk has helped us with mean time to respond, although I don't have exact numbers.

Splunk has helped improve our company's resilience level.

Splunk is very good at predicting, identifying, and solving problems in real time. I've never used anything else, however, I'm impressed with the ease of it and the ability to find anything and everything we need. 

I do a lot of the maintenance. A lot of my workers are fresh into Linux and need to monitor, manage, and do maintenance on it. They should bring back the maintenance mode button. Splunk used to have it and they took that feature away.

The upgrading process could be smoother. 

I've used the solution for about a year.

The stability and availability of Splunk are great. It does get weird when we initially update items, however. That's the only time we see issues. It may try to input data in areas it doesn't need to. That said, we are aware of the quirks of the setup. 

Scaling is easy if you have done it a couple of times. 

The environment I have has multiple servers. We might have around 100 servers. 

Splunk support is very communicative about our concerns. That said, the answers I've gotten back don't make sense. I'm not sure if they communicated our issue in the right way or if they misunderstood, however, they did not correctly address our issue. In the end, we do have a good dialogue. I now expect that they will misunderstand the problem on the first round and we have to go back and forth. The effort is there to try to understand. 

Neutral

The company may have had QRadar for a while before Splunk. I wasn't around when they switched to Splunk so I cannot compare the two. 

I was not involved in the initial deployment of Splunk. 

The company has witnessed an ROI in terms of the amount of time saved via being able to tweak our searches. The docs are great. They help tremendously in filling knowledge gaps. The ROI is solid. 

I don't deal with pricing or licensing. 

I've only worked with Splunk as far as data ingestion. 

The solution does take a bit of understanding. It does need improvements in some areas. I'd rate the solution seven out of ten. 

My use cases are very limited. I use the product mostly to detect internal threats like data exfiltration.

I am a basic user. The search lookups are useful.

The product must improve insider threat detection. Almost everything is outside in, but not inside out.

I have been using the solution for four years.

The solution is very reliable. I like its stability. It always works.

Sometimes, it takes time when we need additional information or something extra. However, the tool’s able to do it.

I haven’t contacted the support team. I reach out to the internal expert. My searches and my requirements are very basic. The expert is great. He’s always able to help me and guide me.

Positive

We do see a return on investment. The product saves us time by automating reports and helping us see data.

The solution helps reduce our mean time to resolve. It’s great to automate some tasks. I believe Splunk has helped improve our organization’s business resilience. We have become stronger in insider threats by just stopping things, being able to show what is leaving, and taking action on it. It's very useful when I try to identify events.

When I started working in my organization, they were using Splunk. Overall, I rate the product a nine out of ten.

We implement Splunk Enterprise Security for our clients. It's a security tool that centralizes data in one location, so we can gain some insights from it. We can also use it to create alerts. For example, let's say we want to find an incident in real-time, but we can't sit in a single place and stare at the screen. We can create alerts that send us an email notification or automate a response. 

Splunk helped us reduce our alert volume because we could optimize our risk-based user analytics. I estimate that we decreased alerts by around 20 percent. Splunk Enterprise Security speeds up security investigations.  

Splunk's strongest suit is its user interface. We can integrate multiple solutions and adjust settings in the Splunk interface. It's easy to manage multi-cloud environments because we can use rules to segregate the data and restrict our clients from seeing each other's data. Splunk has a lot of plugins and add-ons that provide a lot of information about our cloud and on-prem environments.

Splunk's MITRE ATT&CK framework is excellent, but I haven't used it for investigation. I'm primarily involved in implementation and development. Splunk Enterprise Security is solid detection-wise and faster than many other SIEM solutions. 

We already have an antivirus solution in our environment, so Splunk detects viruses based on that. Once the antivirus detects something, it generates an incident in Splunk that we can investigate. The detection time depends on a few factors, but we can detect a threat in two to five minutes under ideal conditions. 

Splunk could improve its default machine-learning models. Also, Splunk Enterprise's native threat intelligence isn't that good. I prefer a custom threat intelligence model. 

We have used Splunk Enterprise Security for more than three years.

Splunk Enterprise Security has gone through multiple versions, so the product is mature and stable. It's currently on version 9. 

We can scale Splunk Enterprise Security horizontally or vertically. It isn't a problem. 

I rate Splunk support 10 out of 10. Splunk has better support than other vendors I've worked with. It's better than IBM support. 

Positive

We previously partnered with IBM and used QRadar as our SIEM. Splunk is faster, and I like the look and feel better. If you are looking for the cheapest solution, some free open-source SIEM solutions exist. They can do many of the same things that Splunk can do but maybe not at the same scale. 

One person can deploy Splunk Enterprise Security in 15 to 20 days, depending on the architecture. It takes less time to deploy on the cloud. The solution requires some maintenance. We need someone there to monitor it in case there are issues. Three people are responsible for maintaining Splunk. 

Splunk costs a little more than other SIEM solutions. It would be nice if they could bring the price down a little. 

I rate Splunk Enterprise Security nine out of 10.

We use Splunk Enterprise Security for continuous monitoring, ensuring compliance, and advanced threat protection.

Splunk Enterprise Security allows our customers to view their decentralized infrastructure from a single pane of glass.

Splunk Enterprise Security's insider threat detection capabilities are good.

The actionable intelligence provided by the threat intelligence management feature is effective. The solutions are integrated into the platform, and customers receive operational insights.

The MITRE ATT&CK framework's ability to help our customers discover the overall scope of an incident is high.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps our customers detect threats faster.

Splunk Enterprise Security is able to process a huge amount of data without any issues. Our customers can see the benefits two to three months after deployment.

Splunk Enterprise Security helped our customers reduce their alert volume by 40 to 50 percent.

Splunk Enterprise Security helped speed up our customer's investigation time by 60 to 70 percent.

Splunk Enterprise Security can be improved by including backup network detection and response and safe management to the paid platform.

Splunk Enterprise Security's price is high and could be lowered.

I have been using Splunk Enterprise Security for two years.

I would rate the stability a ten out of ten.

I would rate the scalability a ten out of ten.

The technical support response time is delayed and they can take two to three days to respond sometimes.

Neutral

The initial setup can be complex for customers who require advanced configurations and customizations, but it is straightforward for basic usage.

The deployment process is simple. We first identify the platform and determine if it is a unique system. Then, we define the virtual environment. After installing Splunk's platform, we perform the necessary configurations and other tasks. Splunk Security Essentials is a premium add-on for this tool, which is installed on the Splunk Enterprise platform.

The number of people required for the deployment depends on the customer's requirements and the use case they are developing. For example, if the customer needs to gather data from their network, we will need to add network experts to the project. However, if we already have experts who are familiar with the API and application connectivity, we may not need to add any additional people. Ultimately, the number of technical resources required will depend on the specific needs of the project. On average, we require four to five technical people for deployment.

Splunk Enterprise Security's price is high. I would rate the cost as ten out of ten, with ten being the most expensive.

I would rate Splunk Enterprise Security an eight out of ten.

There are many cheaper solutions available on the market but Splunk Enterprise Security is worth the cost.

Two people are required for maintenance.

The value Resilience offers our customers is good.

The primary use case is security and data analytics. In general, we manage and maintain it for our customers.

Application-wise, it's good. Searching and reporting of data analytics is also fine. The dashboard presentations are also a good feature. Overall, its functionality is great and that's why we use it.

I would like additional support for custom add-ons, as well as cloud integration. Right now we have concerns because we have to customize applications for direct integration. But on-prem, it is all functional. We have to build it on our own. Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported.

I have been using Splunk Enterprise Security for over two years. I received Splunk certification six years ago.

The stability of the functionality is good, but there are still bugs that keep hindering things. I am waiting but they are there and that is quite common. I think they have not yet been resolved from the older versions. The stability is a seven-plus out of 10.

It's scalable for all environments. Splunk Cloud can be scaled to a small or medium company, depending on their inputs or log resources. Businesses at the high end of medium-sized, and large companies, can go with the on-prem solution.

The technical support is good. 

However, there is a lot of delay nowadays. The last time we raised a case, it took quite a long for them to come back with their first response. That's not for a P1 or P2, but if it is a P3, they don't respond at the earliest. When they respond, it is quite late and we have to ask again. The first response is never an answer. It's always a query.

Still, the people I have worked with there are all an eight-plus out of 10.

Positive

It can be deployed on-prem or in the cloud. With the latter, it is Splunk's own cloud. 

The deployment of the solution is straightforward, but there is a lot of engineering activity involved in designing the architecture. Architecture-wise, it is fine, and bringing things together is not that tough, but maintaining and managing it is a tough job because we don't work in a normal environment. We work on something that is very defined to the network. That means we have to build everything from scratch and deploy it.

The implementation strategy depends on how the customer wants things done. But in general, I go through research and then develop and design. I ask the client what sort of environment is flexible or cost-effective for them. It's done in stages. It's a matter of understanding the infrastructure and then implementing,  or designing and handing it over to them.

If there are 1,000 log sources, it takes six months to a year to deploy, depending on how the customer is supporting the process.

Every on-prem solution involves maintenance, including keeping things upgraded, whereas Splunk Cloud is managed by the vendor. The number of people involved in on-prem maintenance depends on the size of the environment and how long our update window is. For example, if we have a green zone at midnight for three hours, and we want to upgrade at least 20 to 30 servers, it will take eight to 10 people working in parallel. But for a very small environment of 10 servers, it will take four people to manage it, or if we have a large window, even three people can do it.

We do it ourselves.

The pricing depends on the bandwidth of an organization and is good compared to some SIEM tools. IBM, for example, is quite costly. But Microsoft Sentinel is notably cheaper. I have seen a lot of organizations running on Sentinel.

IBM is for quite large organizations that don't want to have their data on the cloud. Splunk has both on-prem and cloud modules and, cost-wise, Splunk is better. Internally, we cannot push everything to the cloud. That would become too expensive for us. So we have it sitting in our data center and that is good.

I have worked with a number of other solutions including RSA enVision, IBM QRadar, as well as Microsoft, McAfee, and LogRhythm. 

If we want to build an add-on feature in Splunk, we have to build an application and then integrate it. But in other applications, there is a direct integration that only requires partial development and it will start functioning.

Also, there is something called correlation in a lot of other tools. Splunk also has it but it consumes a lot of memory. If we tag all the data, it is better, but tagging consumes storage and it makes it a little tough for us to run a search. 

If we want to work towards SOAR, if there were a little bit more integration so that our customers could taste SOAR, they could then move to Splunk Phantom or other tools. Right now, people are not using automation. Everything is done manually. Hopefully, that's the next goal. Security operations will surely use SOAR and, once they start tasting it, they'll get to know how it works. They can design playbooks and start using it. That's an additional feature I would like Splunk to bring in. 

Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great. It also has something called "stats" and it runs much faster. Within minutes, it gives the data from a very large set. Spunk's dashboards are also a very good thing. No other application or tool is as versatile in presenting the dashboard. It all comes down to presentation. It may take a little bit of engineering work to develop and customize, to parse the fields and fetch the data, but the presentation is good.

Our technical teams are demoing various enterprise tools to develop experience and knowledge so we can better serve our clients. In addition to Splunk, we are evaluating IBM QRadar and one other solution. One of our customers is asking about the Splunk MSP model.

Splunk allows us to customize processing and dashboards, which helps us take care of our customers' needs. Splunk is costly, but it's better than other products. It speeds up security investigations. It helps us detect threats faster. Everything is faster. The only part that's lagging is the management. Otherwise, Splunk is good. It took about a month to realize the solution's benefits. 

We get few alerts except for the other solutions we have integrated with Splunk. We'll monitor those alerts and support their customers, but we don't have any other mechanisms for databases or something outside of the infrastructure. 

Splunk enables us to customize dashboards and queries, and we can add multiple admin users. We only use the essential parts, including the MITRE ATT&CK framework capabilities. Organizations share threat information under the MITRE ATT&CK framework. We do threat hunting and marketing based on that.

We do manual threat hunting. We get all the IP addresses and check the threat databases to determine if it's malicious. 

The algorithms and alerts could be improved. I would also like to pre-build use cases. We need to create the algorithm based on our use cases. 

The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management feature. 

We've also had problems integrating the solution. We get multiple errors, like search log errors, UI errors, etc., and performance issues. It's fine with basic content, but if we're dealing with multiple data sources and 30 GB of data, it cannot handle the load. Our customer is indexing around 10 GB of data daily, and I can't search the log without getting errors. 

Splunk Enterprise is stable. 

Splunk Enterprise is highly scalable. 

We haven't had to contact Splunk support because we can find all the answers we need online. 

We also use IBM QRadar.

Deploying Splunk is straightforward. We had no issues. 

Splunk is more expensive than most solutions, but it offers lots of value. If a customer wants the cheapest solution, we'll use that.

I rate Splunk Enterprise Security an eight out of ten. I would give it a ten if it had built-in threat management. 

We primarily use the solution for monitoring, intrusion detection, and prevention. It is mostly a lot of security and network and server monitoring.

It automated the way we look at intrusion detection and prevention. It automatically picks up intrusion attempts within our environment.

The monitoring and the security functionality are the most valuable aspects of the solution.

It is easy to set up.

It is very scalable. 

You can basically make it do whatever you want, from log management and monitoring security, intrusion detection, prevention, and linking to your antivirus to report to it. Having kind of a single point where everything feeds in and create dashboards however you like is useful and works with how many ever systems you want in that dashboard.

I've not come across any areas that need improvement.

I'd like to see more integration with more antivirus systems.

We've used the solution for roughly, one year and a half years.

The solution is highly scalable.

We have four people that use the solution and they were split between infrastructure and security.

We don't have a plan to increase usage as we're almost at capacity with our servers, for our purposes. I don't think we're going to scale it as we're using everything we can from anything we need. However, it's intensely used for security purposes.

Technical support is perfect.

Positive

The initial setup was straightforward. It was done by Splunk entirely. After that, the configuration took a bit of time, however, we bought professional service days from them to help us build the configuration.

The full deployment took about five months due to the fact that we have quite a lot of servers.

I'd rate the experience a five out of five in terms of ease of execution. 

The amount of people you require for deployment and maintenance depends on the complexity of the environment. It can be run and managed by a single person if the environment is not highly complex. If you're talking about probably less than 200 servers, and a couple of network endpoints, one person can manage it easily after it's been configured. Otherwise, I wouldn't be able to say. In more complex environments where you've got several geographical locations, several data centers in geographical locations, and so on, you'd probably need more than one.

Splunk handled the implementation. It was a joint effort between them bringing the knowledge and us doing the actual work.

It's a great investment, especially if you want to strengthen your security stance.

It's yearly a yearly license on a three-year contract. On a three-year contract, you get a discount basically - rather than putting it on a rolling yearly contract.

On pricing, if I base it on the functionality of the system out of the box, I would rate it five out of five.

They have several prepackaged modules you can purchase. For example, for the security type, they have Security Enterprise, with the default products getting security essentials. With Infrastructure, the same. We've got an ITOps enterprise, which again, is payable on top of the standard license. 

It's pretty much how much you can actually build in-house. The difference between AT&T, LogRhythm, and Splunk, while AT&T and LogRhythm are pretty out of the box (it's click and configure), Splunk is highly configurable. 

You can make it do whatever you want to, as long as you know how to edit the configuration files. What ITOps and Security Enterprise do, instead of you having to build all that from the ground up, so the dashboards, the logic behind it, the configuration files, and so on, become prepackaged and pre-installed.

We did test AT&T and LogRhythm as well. We chose this solution as a balance between cost and functionality.

AT&T was a great security tool, however, it lacked a lot of the infrastructure things that Splunk does, in terms of server monitoring and network monitoring. LogRhythm did have a dose, however, at a very prohibitive price. It was almost twice the cost of Splunk.

We've got a version of Splunk Cloud. I'm not sure of which version.

I'd advise users to get more professional service days. You get five professional service days with the product, when you buy the license, usually. Definitely get at least ten more.

You need to have some strategy before. You definitely need a strategy. Before you do your PS days, definitely have a look at your strategy and make sure you've arranged your questions rather diligently. Based on how you think you're going to use the system, where you are where you want to be, just box them into separate parts - security, infrastructure, and monitoring. It's going to make life a lot easier when you talk to consultants as the consultants are very, very knowledgeable. However, you need to ask the right questions.

I'd rate the solution ten out of ten.