Skip to main content
TrustRadius
Splunk Enterprise Security (ES)

Splunk Enterprise Security (ES)

Overview

What is Splunk Enterprise Security (ES)?

Splunk Enterprise Security (SIEM) is the company's flagship SIEM product, offered as a premium service to subscribers of Splunk Cloud or Splunk Enterprise.

Read more
Recent Reviews

TrustRadius Insights

Intuitive User Interface: Users have consistently found the user interface of the product intuitive and easy to use, allowing for quick …
Continue reading

Highly Recommended!

7 out of 10
September 12, 2023
Incentivized
Splunk Enterprise Security (ES) is integral to our cybersecurity strategy. It swiftly detects and responds to threats, addressing …
Continue reading

Splunk ES Review

9 out of 10
September 06, 2023
Incentivized
We use Splunk ES to monitor security-relevant events, create notables for our Analysts to review, and overall improve our organization's …
Continue reading
Read all reviews

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Popular Features

View all 13 features
  • Centralized event and log data collection (100)
    9.3
    93%
  • Custom dashboards and workspaces (102)
    9.0
    90%
  • Incident indexing/searching (101)
    8.7
    87%
  • Deployment flexibility (101)
    8.3
    83%

Reviewer Pros & Cons

View all pros & cons
Return to navigation

Pricing

View all pricing
N/A
Unavailable

What is Splunk Enterprise Security (ES)?

Splunk Enterprise Security (SIEM) is the company's flagship SIEM product, offered as a premium service to subscribers of Splunk Cloud or Splunk Enterprise.

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visithttps://www.splunk.com/en_us/products/p…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services

Would you like us to let the vendor know that you want pricing?

65 people also want pricing

Alternatives Pricing

What is Microsoft Sentinel?

Microsoft Sentinel (formerly Azure Sentinel) is designed as a birds-eye view across the enterprise. It is presented as a security information and event management (SIEM) solution for proactive threat detection, investigation, and response.

What is InsightIDR?

In addition to their incident response service, Rapid7 offers InsightIDR, a combined XDR and SIEM that provides user behavior and threat analytics.

Return to navigation

Features

Security Information and Event Management (SIEM)

Security Information and Event Management is a category of security software that allows security analysts to look at a more comprehensive view of security logs and events than would be possible by looking at the log files of individual, point security tools

8.5
Avg 7.8
Return to navigation

Product Details

What is Splunk Enterprise Security (ES)?

Splunk Enterprise Security is an analytics-driven SIEM that helps to combat threats with actionable intelligence and advanced analytics at scale. Ingest machine data from any source for full visibility to detect malicious threats in an environment. Investigate and correlate activities across multicloud and on-premises sources in one unified view to identify and remediate security incidents. Splunk Enterprise Security supports cloud, on-premises, and hybrid deployment models to meet the needs of the business. When deployed as a cloud-based SIEM, the vendor states Splunk Enterprise Security can deliver improved time to value, allowing teams to focus on higher value security tasks instead of managing infrastructure hardware and manual upgrades.

Splunk Enterprise Security (ES) Video

Threat intelligence capabilities can be found in a variety of products. In this video, the TrustRadius team goes over 4 leading products in the space, including Splunk Enterprise Security (ES).

Splunk Enterprise Security (ES) Technical Details

Operating SystemsUnspecified
Mobile ApplicationNo

Frequently Asked Questions

Splunk Enterprise Security (SIEM) is the company's flagship SIEM product, offered as a premium service to subscribers of Splunk Cloud or Splunk Enterprise.

IBM Security QRadar SIEM, LogRhythm NextGen SIEM Platform, and Securonix Next-Generation SIEM are common alternatives for Splunk Enterprise Security (ES).

Reviewers rate Centralized event and log data collection highest, with a score of 9.3.

The most common users of Splunk Enterprise Security (ES) are from Enterprises (1,001+ employees).
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(253)

Community Insights

TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!

Intuitive User Interface: Users have consistently found the user interface of the product intuitive and easy to use, allowing for quick completion of tasks. Many reviewers praised its simplicity and user-friendly design.

Efficient Log Correlation: The automation capabilities in XDR were highly appreciated by users as they enable efficient log correlation and turning data into meaningful insights. Several reviewers mentioned that this feature saves them time and enhances their overall productivity.

Comprehensive Security Monitoring: Users highlighted the product's ability to monitor firewall traffic, mail systems, and AWS infrastructure, providing comprehensive security monitoring. This feature was commended for its effectiveness in identifying potential threats from various sources.

User Interface: Users have found the user interface of Splunk Enterprise Security to be confusing and not user-friendly, with a steep learning curve. Some users suggest improving the UI by reducing the number of clicks required.

Troubleshooting and Integration: Several users have experienced difficulty troubleshooting and integrating Splunk with other products. They mention that customizations often require technical support which may not always be on point. There is a need for optimization when it comes to handling multiple data sources.

Default Searches and Alerts: Many users find the default searches and alerts provided by Splunk Enterprise Security to be not valuable and in need of customization. They suggest better alert suppression, improved permissions, and more support for certain tools. Furthermore, users desire a more polished version of the miter coverage dashboard.

Users commonly recommend the following for Splunk Enterprise:

  1. Invest in proper training for personnel to avoid misuse and low performance. Users suggest that investing in training for staff is crucial to ensure effective use of the software and prevent any potential issues or underutilization.

  2. Consider other products in the market and evaluate compatibility with your business needs. While users recommend Splunk Enterprise, they also suggest exploring alternative solutions to determine which one best suits their specific requirements and environment.

  3. Try Splunk Enterprise for free and explore its documentation. Users advise others to take advantage of the free trial offered by Splunk Enterprise and thoroughly explore the product documentation. This will help users evaluate whether the software meets their needs and understand its features before making a purchase decision.

Attribute Ratings

Reviews

(1-1 of 1)
Companies can't remove reviews or game the system. Here's why
Giuseppe Cusello | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
ResellerIncentivized
I'm a consultant in SIEM implementation for our customers. I implemented many ES installations in the last years for SIEMs and SOCs.
  • Search and analyze cyber Security Threats
  • cyber risk quantification of customer assents and identities
  • manage notable events and security incidents
  • investigate alerts from Splunk
  • create always new security Use Cases
  • reporting for board
  • support company compliance functions in their activities
  • we hard-worked to customize ES for multitenancy because this feature isn't present in ES
  • Investigations aren't so easy to customize
  • integration of ES with external Asset Management system isn't so easy to implement
  • I should be very useful an integration with an external Vulnerability Management system (e.g. Tenable) to highlight dangerous areas and asset risk quantification
I daily work in ES implementation for our customers so I hint to use ES in every Cyber Security protection situation because it ensembles threat detection features with notable and security incident management: it isn't a tool for specialists but for all security analysts. I think that it's well suited in all structured and/or big companies. It's difficult to implement (also for its costs) in small companies.
Security Information and Event Management (SIEM) (14)
72.85714285714286%
7.3
Centralized event and log data collection
100%
10.0
Correlation
100%
10.0
Event and log normalization/management
100%
10.0
Deployment flexibility
100%
10.0
Integration with Identity and Access Management Tools
30%
3.0
Custom dashboards and workspaces
30%
3.0
Host and network-based intrusion detection
30%
3.0
Log retention
100%
10.0
Data integration/API management
80%
8.0
Behavioral analytics and baselining
80%
8.0
Rules-based and algorithmic detection thresholds
60%
6.0
Response orchestration and automation
60%
6.0
Reporting and compliance management
80%
8.0
Incident indexing/searching
70%
7.0
  • We're a Splunk Partner and we implemented many ES infrastructures for our customers
  • We're too small and less structured 8especially in infrastructures) for use in our company
  • Our customers are all satisfied by ES
because I experimented with installations with a single server and installations with multi-side clusters and I was able to implement and use ES. The only problem I found, but I understand that's mandatory to have quick response times, it needs very many resources (CPUs, RAMs, and storage).
I performed a migration from RSA SA and I found that ES is very easier to implement new Correlation Searches.
I'm a consultant in ES implementation
I'm A Splunk Architect and I followed a training dedicated to ES, I'll try to have also a certification in ES
  • all SIEM features Implementation
  • Threat intelligence
  • Cyber Risk Quantification
  • Support for Asset Inventory
  • Support for Asset Inventory
  • Cyber Risk Quantification
  • Integration with our DSS platform for Cyber Risk Quantification (platform developed using Splunk Enterprise)
We are a Splunk Partner and will continue to work implementing ES
Yes
I worked to migrate a SOC infrastructure from RSA Security Analytics to Splunk ES for one of our customers
  • Price
  • Product Features
  • Product Usability
The only limit of ES is prize: if a customer must use ES only for SIEM, it's an expensive solution, so I hint to reduce the cost of ES, especially when the customer dimension isn't so great: some customers changed their idea to use Splunk before too expensive and preferred to use Elastic Search.
ES feature and usability are winning points over all the other solutions, I think that only with a few reduction of ES price, there will not be any opportunity for other products.
I always hint to our customers Splunk ES as the best solution for SIEMs and SOCs, even if expensive, is the best solution for features and usability, especially when the use of the platform is extended alto to non security Use Cases (e.g. IT Operations, business insight, etc...).
  • Third-party professional services
We are a third party professional services company and we perform consultancies in ES implemntation.
In addition, we used Splunk Profesisonal Services consultancy in one of our projects for the dimensions of the customers, because it needed a multi tenant installation (and ES isn't so) and for a final certification of the ES infrastructure developed.
Yes
the project was the migration of the SOC infrastructure from RSA Security Analytics to Splunk ES, so it was divided into:
  • architectural Design and infrastructure dimensioning,
  • ES configuration and tuning (installation was done by the custem by itself),
  • log ingestion configuration (check of the ingestion already done by the customer),
  • correlation searches migration (all custom correlation searches),
  • threat intelligence configuration (all custom sources),
  • final check and certification.
Change management was a small part of the implementation and was well-handled
The only change management was related to the process of developing new correlation searches and dashboards for visibility for the SOC's customers.
  • ES isn't multi tenant but we had to implement multi tenancy to manage the customers of that SOC maintaining separation between them
It's a fantatic product and it was very useful the presence of Splunk Professional Services for the Design Phase and the final Health Check.
  • Online training
I experienced only on-line training, but the trainers were very professional and competent. Maybe it could be more useful if they also have an experience in projects because sometimes they didn't have a real project experience to communicate to the students. Anyway, it was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself, aven if I have more than 10 years of Splunk activity experience.
It was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself. The only problem was that, when I worked with the Splunk Professional Services, I found some difference between the training contents and the information from PS. In addition is required a long experience on Splunk Enterprise for the data ingestion part, in other words I'm able to work with ES because I'm worling on Splunk since 11 years, otherwise I'd some problem.
Configurability is high for Correlation Searches and thear intelligence, we were able to configure multi tenancy but with an hard work.
So I'd like to have multitenancy out of the box in ES features.
In addition I'd like to have an easier configurability for investigations and notable and security incidents management.
At first put a very great attention to data sources because having clean data it's possible to have clean results, otherwise it isn't.
Then ES isn't a platform for improvisations: it need a knowledge of Splunk and a specific knowledge on ES itself.
I found some customer that tried to do all by itself, the result was only muck lost time.
No - we have not done any customization to the interface
Some - we have added small pieces of custom code
We had to customeize the installation for a customer implementing multi tenancy. The customizations were mainly related to the data structure: each final customer had its own index, all datamodels were customized to use index and other fields for the final customers, in each datamodel index was a main grouping field, all correlation search was customized using index as grouping field, for threst intelligence, it was needed to modify one ot the Splunk Python script for index grouping.
Our project was a migration from RSA Security Analytics to Splunk ES, so we had to create one Correlation Search for each Use Case to have the same Use Cases of the precedent installation.
In addition, out customer had two Threat Intelligence sources (MISP and Crowdstrike) and we had to customize the information update process taking data from that sources.
I continously work with Splunk Support and they always are quinck and professional in their intervenes.
I worked with Splunk Professional Services only one time and I was very satisfied of them.
They are very expensive (probably too much and out of market) but I hada all the answers that me and the customer needed.
Yes
They always answerd in a quick time with the solution, or, at least a workaround to pass the situation.
In my last project, we opened a case for a problem that should be solved in a past release of Splunk, but it's still present.
The support gave us a workaround to immediately solve the problem waiting if in the next release it will be solved.
I's very usable the part of configuration and correlation searching creation.
It could be better in Notable and Security Incident management.
  • Threat Intelligence
  • Correlation Searches
  • I know that ES isn't Multi Tenant, but it's very difficoult to configure and use it on many customers
  • Investigations could be more easy to use
Yes, but I don't use it
I'm not an ES user, but, in my implementation I usually try to prevent all service stops to guarantee High availability to the final customers.
ES requires a very performant infrastructure: if it has it's performant, otherwise not.
I had situation with a very performant infrastructure and I didn't notized that it was a distributed architecture, it seemed that there ware few data on my PC, othewise I experienced less performant infrastructures with less performaces.
  • our DSS platform
Our DSS platform is developed in Splunk Enterprise environment so integration was very easy!
  • Vulnerability Management
  • Asset Management
  • Anti Fraud Management System
Most of them have a Splunk App or Add-On, so I think that it will be very easy to do this.
  • File import/export
  • Single Signon
  • API (e.g. SOAP or REST)
We usualy use file import/export for integration and, when available, APIs to extract data from external systems (e.g. Cyber Quant or Tenable Security Center).
The Splunk Enterprise smart integration featutes is the reason why we choosed this environment to develop out DSS solution that integrates information from many external systema.
It's easy to take logs and information from external logs using Technial Add-Ons, I'd like to have some integration tool for some specific feature like Asset Management, customer Threat Intelligene sources, vulnerability Management Systems.
In addition I'd like to also have some feature to easily export data to external systems.
As I said many timkes in this review, I'd like to have some feature for integration of external systems as Asset Management, Vulnerability Management and so on, but also in multi tenancy mode.
In other words, I'd like to have the possibility to integrate many different asset managent sources from different final customers.
Splunk technical sales engineers are always available for supporting commercial process.
In addition, it's available the Oxygene 2 environment to have a demo environment.
Sometimes, the discount process should be less rigid and hear the indication from the partners and from the Splunk sales, because each customer has its own story, it's different from the others and requires a different approach.
They are always available.
It could be useful to have the possbility to give to the final customer a development period license: in few words, if I need a month to install and customize the solution for the final customer, the licesnse should start from the final acceptance test and not from the order date, because in this way the customer cannot have the license for the use or the full period they paid.
I had a fantastic experience with Splunk Professional Services:
they worked with us in our last SON project (a SOC migration for a very large customer) and helped to build a multi tenent environment even if ES isn't a multi tenant platform.
Th Splunk PS was a very professional and competent people, he is italian and was able to speak with our italian customers.
In our experience there are many negotiations with Splunk:
usually they are ready and available to find the best approach for the customer.
I experienced only one negative situation: when a big price redution is needed to take the customer, Splunk sales need approvation from their management that sometimes isn't so flexible to understand the situation.
for my exterience, unit pricing and billing frequency are correct. As I already said, I hint to have more discount flexibility, expecially with new customers, because there are competitors less expensive and very aggressive that are dangerous. In addition the possibility to don't pay the license for the development period could be a very interesting feature for the final customers.
As I already said, I hint to have more discount flexibility, expecially with new customers, because there are competitors less expensive and very aggressive that are dangerous. In addition the possibility to don't pay the license for the development period could be a very interesting feature for the final customers.
Yes
I didn't experienced big problems in the upgrading process, even if the ES packages start to be large and heavy.
If it's possible to divide in separated packages the full installation package, probably the upgrade process could be easier.
I say this because I experienced an installation and an upgrade of ES in a customer with a slow connection and usually the process was aborted for timeout, so I needed to upload the package using SSH and instaling it via CLI, to avoid installation timeouts.
  • bug solving
  • new Correlation searches available
  • multi tenancy (but I know that there isn't!)
No
No
Return to navigation