Splunk SOAR Reviews

Name: Splunk SOAR
Brand: Splunk
Rating: 4.1 (43 reviews)

Vendor: Splunk

4.1 out of 5

43 reviews
87% willing to recommend

555 followers

Post review

What is Splunk SOAR?

Splunk SOAR offers features like automation and orchestration of manual tasks, speeding up work, detection and response to advanced and emerging threats.

Get the Splunk SOAR Buyer's Guide and find out what your peers are saying about Splunk SOAR, Microsoft Sentinel, Elastic Security and more!

Splunk SOAR is the #3 ranked solution in SOAR tools. PeerSpot users give Splunk SOAR an average rating of 8.2 out of 10. Splunk SOAR is most commonly compared to Microsoft Sentinel: Splunk SOAR vs Microsoft Sentinel. Splunk SOAR is popular among the large enterprise segment, accounting for 65% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 14% of all views.

Helped 838,533 peers since 2012

Featured reviews

Shubham Sinha.

Senior Principal Information Security Analyst at Veritas Technologies LLC

The visibility of the solution’s playbook viewer depends on the right you assign to the analyst. SOAR has the flexibility to distinguish between the roles of analyst and owner. If the analyst's role is to just work on a ticket, they cannot view the playbook design platform. That is limited to the owner. That can be both a good and bad thing. A major problem I have faced in SOAR's rights distribution is roles and responsibilities. Suppose I am initially granted user rights or analyst rights, but later on, I also get admin rights. SOAR is unable to amend the limitations of my role. I raised a support ticket with Splunk about this. They said it's a bug in their 5.3.5 version. To fix this, I had to reinstall the entire platform from scratch, just to amend the rights and responsibilities of one role. This bug was not fixed. Also, the latest GUI is terrible. The previous one was better. Another point is that while using Splunk SOAR in an investigation is not difficult, there are some complex parameters. We have SOAR case management, but the licensing is going to put a big hole in your pocket. Also, there is an issue with investigation node addition. When you are doing node additions you cannot grant the entire environment to have SOAR visibility into the incident. So when you integrate it with an ITSM tool, like ServiceNow or Jira for ticketing purposes, there is a challenge. When you do nodes for investigation on a regular basis, sometimes it does not update our ServiceNow platform, which is terrible. It is a redundant activity for an analyst to update that in the case management as well as in the ITSM tool. Although SOAR provides integration, the functionality of investigation and nodes is terrible when it comes to integration. An additional area for improvement is custom function creation. It's terrible. A newbie cannot create custom functions right away. They would require a solid understanding first. Also, the reporting is really awful. If I want to do a report for a customized time period, such as the last three days or the last four days, or from the 10th to the 12th of June, that is not available in SOAR at all. That kind of feature is available in Cortex XSOAR. Reporting is a real challenge.

Read full review

SAURABHYADAV4

Consultant at HCL Technologies

The product provides 100% automation for certain processes. It needs no manual intervention. We can integrate various tools like VirusTotal and ServiceNow. We can automate all the tasks. It is one of the best things about the tool. It also provides workforce protection. Whenever we get any alerts or make any configurations, we develop workflow automation using the playbooks. We can fully automate some of the security incident resolutions. We can also do identification and redirection using the product. I have integrated Splunk Phantom with Splunk Cloud. Previously, I used it with Splunk on-premise to get the logs into Splunk for tracking and audit purposes. Since Splunk is a SaaS-based product, it has certain maintenance windows. Over time, the vendor does some maintenance during off-production hours. Creating playbooks using the solution’s playbook editor is not tough. For someone who knows the solution, I rate the ease of creating playbooks as four out of five. The solution’s playbook viewer provides full visibility. The product provides different integrations. We can easily integrate the tool with VirusTotal, ServiceNow, and the asset and identity management system. The product is somewhat easier to use in an investigation. We have been able to identify the false positives using the product. The tool has helped reduce false positives by 30%. Splunk SOAR has helped reduce our mean time to detect by 10% to 15%. Splunk SOAR has a major impact on our meantime to resolve. Our mean time to resolve has been reduced by 35% to 40%. I have integrated VirusTotal with Splunk SOAR. Instead of doing manual checks, I can easily get the score by integrating the tool with Splunk SOAR. I have also synced Active Directory with the asset and identity management system. It's been a long time since we have implemented Splunk SOAR. It brings value to our organization. Before Splunk SOAR, everything was done using manual intervention. We had to educate the SOC team on how to do tasks. We also had to create playbooks for them. With Splunk SOAR, we only have to educate the team about how things are done so that they can perform a manual intervention when there is a failure, which is rare. After deploying the product, we had to provide some training to the SOC team. After getting trained, it was hands-on. Along with other Splunk solutions, Splunk SOAR provides the resilience to face any issues and hardships. We easily cope with downtimes. Splunk SOAR offers us end-to-end visibility across our environment. It depends on how much we utilize it. Visualizing and troubleshooting our cloud-native environment using Splunk SOAR is somewhat easy. I have to coordinate with the Phantom administrators if there is any issue. I work mostly on playbook development and integrating it with security instances.

Read full review

Amit Moralwar

Senior Information Security Engineer at a tech company with 10,001+ employees

Splunk makes creating playbooks simple with its GUI. We can build playbooks by dragging and dropping different elements, eliminating the need for complex coding. The visibility of the playbook viewer is good. We can add custom code while developing the playbook if required. Splunk SOAR provides end-to-end visibility into our environment. Troubleshooting our cloud-native environment with Splunk SOAR is a breeze thanks to its intuitive graphical interface. Unlike traditional tools requiring command lines, Splunk SOAR lets us manage integrations and cloud access entirely within the user-friendly GUI, streamlining the process. Splunk SOAR has significantly reduced our manual workload by automating many previously time-consuming processes. We only began to see the full benefits after about five months. Splunk simplifies security investigations by offering pre-built processes and leveraging the rich functionality embedded within Phantom's alerts. This combination provides a powerful toolkit for investigators. Splunk SOAR has significantly improved our security alert resolution efficiency. While the specific time saved depends on the individual case, we've seen a general reduction in resolution time from around 20 minutes to five minutes thanks to the variety of use cases it supports. Splunk has reduced our mean time to detection by 15 minutes. Our mean time to resolution is now down to five minutes. Splunk SOAR streamlined our security operations by consolidating multiple tools. We've successfully integrated and replaced approximately 15 individual applications into a more unified environment.

Read full review

Splunk SOAR mindshare

As of February 2025, the mindshare of Splunk SOAR in the Security Orchestration Automation and Response (SOAR) category stands at 7.2%, down from 8.7% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Security Orchestration Automation and Response (SOAR)

PeerAnalyst reports

Type	Title	Date
Category	Security Orchestration Automation and Response (SOAR)	Feb 20, 2025	Download
Product	Reviews, tips, and advice from real users	Feb 20, 2025	Download
Comparison	Splunk SOAR vs Microsoft Sentinel	Feb 20, 2025	Download
Comparison	Splunk SOAR vs Palo Alto Networks Cortex XSOAR	Feb 20, 2025	Download
Comparison	Splunk SOAR vs IBM Security QRadar	Feb 20, 2025	Download

Title	Rating	Mindshare	Recommending
Microsoft Sentinel	4.1	20.2%	93%	89 interviews Add to research
Elastic Security	3.8	5.0%	86%	63 interviews Add to research

Valuable Features

Splunk SOAR offers highly flexible integration capabilities with third-party systems like VirusTotal and ServiceNow, automates and customizes playbooks, and provides end-to-end visibility. Users commend its user-friendly interface, impressive documentation, and effective collaboration features. It's praised for its ability to automate redundant tasks, handle phishing attempts, and reduce incident response time significantly. Splunk SOAR's API connectors, advanced analytics, and customization options enhance business resilience, reducing mean time to detect and resolve incidents efficiently.

"Splunk has many features that make work easier, and it's simple to implement in a large production environment. Splunk collects a massive amount of data from cloud servers and handles it perfectly."
"Splunk integrates with so many products. It provides us with good information for us to be able to do our jobs."
"Its ability to integrate with other systems and applications in our environment is pretty easy. Sometimes if we see any complexity we try to involve a consultant to help us. Everything is through the built-in app. Splunk can connect to any assets through the built-in app. It could be in a platform, firewalls, or endpoints. It's easy if it's an app integration."

Room for Improvement

Splunk SOAR's integration across platforms, scalability, and ease of use require enhancement. Users cite challenges with APIs, IAM integration, and support documentation. The user interface and reporting features lack intuitive design. Automation is limited, and playbook and case management are cumbersome. Cost and pricing are obstacles for smaller organizations. There's a need for more advanced training resources, better app integration, and support for additional mobile platforms. Enhanced AI and machine learning capabilities, as well as more efficient logging, are needed.

"The dashboard could be improved and some other features. SOAR should integrate network capabilities, allowing us to also monitor the WLAN network. Splunk is also expensive and difficult for beginners to learn. It's hard for a new user to figure out how to visualize old threat data. It took two to three months to learn with hands-on experience how to use the dashboard, visualize events, and analyze threats."
"I haven't had any issues with the solution so far."
"The font used in the interface could be changed and made easier to read."

ROI

Organizations experience varying ROI from Splunk SOAR. Some report substantial value, especially through automation and time-saving efficiencies, while others find the investment challenging to quantify due to integration complexities. Initial setup and returns can be time-intensive, requiring dedicated resources, yet feedback from leadership tends to be positive. Many witness a tangible impact on daily operations, and some achieve significant cost reduction in staffing needs. Users with prior knowledge perceive benefits more swiftly.

Pricing

Splunk SOAR employs a subscription-based, consumption-driven licensing model, renowned for being costly due to factors like user numbers and data volume. Many users highlight its high expense compared to competitors, with costs potentially ranging from hundreds of thousands to a million dollars annually. Despite high prices, users acknowledge value through automation efficiencies. Splunk SOAR includes modules like analytics and professional services, available for additional fees, and offers discounts on high data volume. The model may vary with pricing changes anticipated.

"Splunk is a fast enterprise tool, but it costs too much. At the same time, it's worth what we pay, in my opinion. We can efficiently perform all the functions and tie together the data. It's the perfect tool for our needs."
"I found the price of Splunk SOAR to be good."
"While I can't confirm the exact pricing, some colleagues have mentioned that Splunk SOAR may be on the costlier side."

Popular Use Cases

Consulting firms utilize Splunk SOAR for threat analysis, automation of phishing processes, security monitoring, and incident response automation. They focus on integrating multiple data sources, orchestrating security workflows, and reducing manual intervention. It's employed for email filtering, infrastructure maintenance, threat intelligence, and risk management. Splunk SOAR supports cloud and on-premises deployments and is used across security operations, legal processes, and various automation tasks, leveraging playbooks for efficient action execution.

Service and Support

Splunk SOAR's customer support has improved since being acquired by Splunk, with many users finding it effective and responsive. Support is often rated between 7 and 10 out of 10. While documentation and community resources are helpful, there's room for flexibility in telecom and IoT cases. The professional support team is praised for their expertise and quick response. Users appreciate dedicated support and collaborative engagement, though some prefer community solutions for faster resolution.

Deployment

Experiences with Splunk SOAR's initial setup vary. Some find it straightforward, aided by clear documentation, taking a few days with a small team. Others describe the setup as complex due to integration challenges, requiring expert assistance and weeks to months to stabilize. While the SaaS version is quicker, on-premise deployment may involve difficulties, such as clustering issues. Maintenance and customization also play roles in the overall setup experience.

Scalability

Splunk SOAR is highly scalable, performing well in large and small environments. It allows flexibility and can handle vast user numbers effectively. Some organizations experience scalability issues, often due to deployment challenges. While factors like implementation and node limitations can impact performance, many find it meets diverse needs. Its ability to grow with infrastructure, along with handling multiple alerts, makes it adaptable. High scalability ratings emphasize its effectiveness across varied scales.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Splunk SOAR Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

14%

Financial Services Firm

13%

Manufacturing Company

11%

Government

University

Energy/Utilities Company

Educational Organization

Retailer

Real Estate/Law Firm

Construction Company

Comms Service Provider

Insurance Company

Healthcare Company

Non Profit

Outsourcing Company

Media Company

Legal Firm

Hospitality Company

Aerospace/Defense Firm

Transportation Company

Wholesaler/Distributor

Recreational Facilities/Services Company

Consumer Goods Company

Performing Arts

International Affairs Institute

Compare Splunk SOAR with alternative products

Learn more about Splunk SOAR

Go from overwhelmed to in-control

Automate manual tasks. Address every alert, every day. Establish repeatable procedures that allow security analysts to stop being reactive and focus on mission-critical objectives to protect your business.

Force multiply your team

Orchestrate and automate repetitive tasks, investigation and response to increase efficiency and productivity, and do more with the people you already have. Make a team of three feel like a team of 10.

From 30 minutes to 30 seconds

Work faster with Splunk SOAR. Respond to threats in seconds. Lower your mean time to respond (MTTR) by automating security tasks and workflows across all of your security tools.

End-to-end security operations made easy

Take advantage of Splunk Enterprise Security and Splunk SOAR joining forces to provide a seamless and intuitive SecOps platform to prevent, detect and respond to advanced and emerging threats.

Splunk SOAR was previously known as Phantom.