TrustRadius Insights for Splunk Enterprise Security are summaries of user sentiment data from TrustRadius reviews and, when necessary, third party data sources.
Pros
Intuitive User Interface: Users have consistently found the user interface of the product intuitive and easy to use, allowing for quick completion of tasks. Many reviewers praised its simplicity and user-friendly design.
Efficient Log Correlation: The automation capabilities in XDR were highly appreciated by users as they enable efficient log correlation and turning data into meaningful insights. Several reviewers mentioned that this feature saves them time and enhances their overall productivity.
Comprehensive Security Monitoring: Users highlighted the product's ability to monitor firewall traffic, mail systems, and AWS infrastructure, providing comprehensive security monitoring. This feature was commended for its effectiveness in identifying potential threats from various sources.
Between our warehouse systems, fleet tracking, logistics portals and cloud apps, there's a flood of data every second. Splunk ES is the connector that pulls all that into one view. The company handles freight for a couple of government clients. We are therefore required to prove that all access and data transfers are monitored. Splunk's audit dashboards make that less painful
Pros
The dashboards are super flexible. We've built custom ones for different teams with so much ease
Correlation search feature is superb
Risk based alerting
Cons
The more data you feed it the more maintenance it needs and the cycle never stops but storage costs keep spiking.
Data onboarding is harder than it needs to be. We are always forced to contract partners whenever we're bringing in a lot of logs
Likelihood to Recommend
Splunk is powerful, no doubt about that but it also demands way too much attention. I'd recommend it to teams that have a decent handle on their data flow. As for us, we're still struggling to get ahead of the data situation but Splunk's complex data ingestion gateway isn't making that any easier.
VU
Verified User
Analyst in Information Technology (5001-10,000 employees)
We use it to monitor and correlate data across more than 20 client environments, each with different infrastructures and compliance needs. The main challenge it addresses is visibility. Previously, our SOC relied on separate SIEM tools for certain customers, which meant fragmented investigations and duplicated alerts. Now Splunk ES centralizes all that.
Pros
Instead of reviewing thousands of low level alerts, I can prioritize risks based on the entity's risk score on the risk based alerts dashboard
The adaptive response framework allows me to link alerts directly to our SOAR playbooks in phantom. This way I can automate triage steps that traditionally took hours.
Cons
Creating complex custom correlation searches sometimes feels more complicated than it should. You need deep SPL experience to build anything beyond basic logic.
Likelihood to Recommend
Splunk is an incredibly capable platform especially for large scale multitenant environments like hours. But it does demand a lot of engineering effort to get it right.
Splunk thrives in environs that already have mature log pipelines and dedicated teams to maintain them. Its power lies in its flexibility. However, if your data sources are unstructured or inconsistent, you'll constantly write and rewrite custom regex transformations - at an unjustifiable cost effort wise.
It's easy to build queries & integrate with other systems and applications. There are a lot of add ons you can integrate to Splunk that can save you a lot of time. Correlation and investigation are easy due to Splunk's effective data parsing capability. There are endless options to customize searching. It provides a very accurate Data Analytics platform that can be adopted by users of all levels. E.x. From tools like Data Tables for Novices to Splunk's Web Framework for Experts.
Pros
It gives visuals to the client when we select a graphical portrayal, enabling us to change signs into visual outlines, for example, pie outlines, diagrams, tables, and so on.
Dashboard UI is intuitive and exceptionally educational, so one can easily find whatever they are looking for.
Cons
Sometimes, it's very, very slow! It also takes a long time to refresh.
UI for pattern searching can be a little better.
Likelihood to Recommend
Well Suited: What we admire most about Splunk is the significant improvements and capabilities it brings to the software with every major release. It is simply mind-blowing and easy to set up from a backend developer's point of view, as it is compatible with existing popular enterprise frameworks using microservice architecture (Spring Boot). Less Suited: Their enterprise plans are frankly costly. Cost wise, maybe it won't be suitable for small startups.
We use Splunk Enterprise in our Organization to achieve the following. Consolidate logs from all sources in one place. Create Custom Correlation alerts to paint the bigger picture effectively. Create Sophisticated Dashboards and reports using multiple data sources for better and non-redundant visualization. Create some basic automation like CSV updates. Perform Threat Hunting to discover unknown threats. Manage Incidents in one place and track Analyst Performance.
Pros
Writes Powerful Queries: The queries that can be written using the Splunk Query Language are very powerful and highly customizable to meet every need. Ex: Writing queries to search the intersection of two different sources like Network and Endpoint Logs.
Offers Dashboard Abilities: Helps build complex panels for Dashboards in addition to providing several out-of-the-box panels. Ex: creating panels to calculate the performance of analysts in a given timezone.
Helpful Search Aids: It helps to set up complex custom alerts very easily. The interesting fields section is very helpful while threat hunting. Ex: It shows all the users and the frequency of each in a failed login event. The user list on the interesting fields is useful to look for suspicious logins.
Cons
Dashboard Builder: It needs more out-of-the-box panels for beginners to learn.
Autofill: The query autofill isn't that great. It needs better suggestions for beginners especially.
Speed: The speed of the search isn't that great. It can be improved. For some queries, it takes too long.
Error handler: The error messages in the case of wrong syntax can be more descriptive. The messages are sometimes vague and are not helpful.
Likelihood to Recommend
Well suited: Splunk ES is highly recommended in an environment with many data sources and experienced computer engineers. It has a steep learning curve, but once that hurdle is crossed, it is absolutely a beast. It is also very expensive, so a company putting a high amount of budget in Security is needed. Not well suited: Splunk ES is not recommended if a company has only a few sources and some non-technical IT users. The price won't justify the fewer data sources and scratching just the surface level. Moreover, non-technical IT users would be better off with something that has a query builder, unlike Splunk.
VU
Verified User
Engineer in Information Technology (1001-5000 employees)
<div>Splunk Enterprise Security (ES) is integral to our cybersecurity strategy. It swiftly detects and responds to threats, addressing compliance and incident response challenges. ES aggregates data from diverse sources, offering real-time monitoring and correlation. This agility minimizes security incident impact.
</div><div>
</div><div>ES aids compliance management by providing detailed logs and reports, streamlining audits. Our use case spans the organization, integrating various data sources for a comprehensive security view. It also incorporates threat intelligence, bolstering proactive threat identification.
</div><div>
</div><div>In summary, Splunk ES is a vital component, ensuring swift incident response and maintaining compliance with industry standards. Its scalability and adaptability make it a cornerstone of our security operations.</div>
Pros
Advanced Threat Detection and Correlation: ES stands out in its ability to detect sophisticated threats by correlating data from multiple sources. For instance, it can identify unusual patterns in user behavior, cross-referencing with network logs to flag potential insider threats.
Real-time Monitoring and Alerting: ES offers robust real-time monitoring capabilities. It excels in promptly alerting us to critical security events, such as suspicious network traffic spikes or unauthorized access attempts, allowing for immediate response.
Comprehensive Log Analysis: ES ingests and analyzes an extensive range of log data. It's particularly adept at parsing and making sense of complex log formats, making it a versatile tool for understanding system activities and security events.
Cons
Improved User Interface Customization: While the interface is generally intuitive, providing more options for users to customize their dashboards and views would enhance the overall user experience. Tailoring the interface to specific roles or use cases could be a valuable addition.
Simplified Alert Management: Streamlining the process of managing alerts, such as grouping or categorizing them based on severity or type, would make it easier for security teams to prioritize and respond to incidents effectively.
Expanded Threat Intelligence Feeds: Increasing the variety and sources of threat intelligence feeds available within ES would provide a broader context for identifying and mitigating emerging threats, ensuring a more comprehensive defense against evolving attack vectors.
Likelihood to Recommend
<div>Well-Suited Scenarios:
</div><div>
</div><div>Real-Time Threat Response: ES excels in swiftly detecting and responding to security threats through data correlation.
</div><div>Compliance Management: ES streamlines compliance with detailed logs and reports, ideal for regulated industries.
</div><div>User Behavior Analytics: Effective in monitoring user and entity behavior, particularly for insider threat detection.
</div><div>Large-Scale Environments: Valuable for organizations with diverse data sources and high volumes of data.</div><div>Incident Investigation: ES aids in post-incident analysis, reconstructing events to understand root causes.
</div><div>
</div><div>Less Appropriate Scenarios:
</div><div>
</div><div>Smaller Organizations: For simpler setups, ES may be complex and costly.
</div><div>Static Environments: In low-risk settings, ES's advanced features may be unnecessary.
</div><div>Limited Resources: Tight budgets or sparse IT resources may hinder effective ES use.
</div><div>Lack of In-House Expertise: Without security experts, optimizing ES can be challenging.
</div><div>Budget Constraints: ES may be cost-prohibitive for budget-conscious organizations, prompting consideration of more affordable alternatives.</div>
I was evaluating Splunk for a potential client. Splunk is a great tool for anyone that needs a SIEM to monitor data, networks, users, etc. The customization of the Dashboard is ideal for anyone to setup and use for an easy display of information. The alerts are incredibly helpful for notification of any problems
Pros
Develop dashboards and notables to track security-relevant details
Data correlation
threat monitoring and detection
Cons
more efficient searches
Multiple ways of creating report and alert is confusing
Multiple ways of creating report and alert is confusing
Likelihood to Recommend
It is very easy to connect data sources and manipulate data sets of any size
I use the product to help monitor, analyze and potentially mitigate certain security issues that may come up. This includes acting as a secondary for escalations and looking at some alerts. I also use it to action on data that may be of use to our organization. It is helpful to organize alerting and easy to take action.
Pros
Monitoring log activity for potential security problems
The interface for investigations is pretty easy to use
Enjoy the high level detail the product gives for alerting
Nice playground for keeping track of investigations
Ease to create new notables to track further items.
Cons
Crazy awful latency when loading
Sometimes the events tab won't show any logs
Difficult to follow certain parts of investigations, but this is being addressed with Mission Control. (I'm talking about the original interface)
Confusion about where to easily navigate to view what items make up risk score as the interface can be confusing.
lowering risk score is extremely obnoxious.
Likelihood to Recommend
I like how it's all one dashboard and there is not a separate SIEM from the actual log agregator. This makes investigation a lot more efficient and easy to complete said investigation. It is easy to close multiple alerts together and to link items when the notables are part of an overarching issue. It is also easy to make another notable. It is easy to change the risk score to lower the alerting threshold.
VU
Verified User
Analyst in Information Technology (1001-5000 employees)
splunk ES is a very useful and powerful tool as a SIEM platform, we send logs from multiple sources such as winodws servers, linux, RH, Firewalls, WAF, O365, etc, the installation process of UF is not complicated, the deployment of the information is fast and the language for the visualization of tables or graphs can be a little complicated but there are guides and KB to support these tasks.
Pros
Customization of dashboards
Creating apps based on your needs.
Search queries can be saved for future or even can be converted to apps
Cons
high cost
slow interface
Likelihood to Recommend
We send logs from multiple sources such as winodws servers, linux, RH, Firewalls, WAF, O365, etc,
VU
Verified User
Professional in Information Technology (5001-10,000 employees)
We use Splunk ES to monitor security-relevant events, create notables for our Analysts to review, and overall improve our organization's security and security hygiene. Splunk ES is a service we offer to our clients as an MSSP and SOC-as-a-service, giving potential customers another great option to use for their own organization.
Pros
Breakdown event logs into easy-to-search fields
Provide relevant trends and metrics for events
Develop dashboards and notables to track security-relevant details
Cons
Ease-of-use for new users
Better options to export events/notables
More streamlined UI
Likelihood to Recommend
It has nearly limitless potential for security uses, but the learning curve is very steep. Our analysts have had to go through extensive training and practice to fully utilize Splunk ES.
VU
Verified User
Manager in Information Technology (11-50 employees)
I work for big organization and large infrastructure .Splunk Enterprise Security (ES) helps alot in security prospective and to chase threats and vulnerability detection, critical traffic detection firewall device Based on the risk score we can get incident notification and we can evaluate based on suggestions .SOC analyst best siem tool and good progress
Pros
Threat detection
Security
Vulnerability
Cons
Use case
Pre defined Data models
End point frame works
Data loss protection use cases and framework
Likelihood to Recommend
Splunk Enterprise Security (ES) protects company's infrastructure and we'll detected and automated alerts based on programmed alerts which is mainly threshold risk score Predefined use cases will help you to protect cloud environment and soc analysts can easily jump into them and enable them as they want Correlation methods will give you more exposure to track different ways to identify and get resolutions .
VU
Verified User
Team Lead in Information Technology (5001-10,000 employees)
