Splunk SOAR Reviews

I'm using it mainly for SOC automation and reporting. It's for incident and threat modeling, incident reporting, and triage.

I come from a cybersecurity background and I used to work on the tickets for the security alerts we received from various sources, including Splunk and other SIEM tools. The major challenge was that we were occupied with a lot of noise and activities like validation of IP reports, DNS checks, and traffic monitoring. These were redundant activities that every analyst had to do. We wanted to stop these kinds of activities. 

Splunk SOAR has multiple integrations with various tools, such as VirusTotal. Once we purchased those tools from the respective owners and automated them, the kinds of redundant activities we were having to do were almost immediately stopped.

Also, the ingestion of multiple log sources together helped us eliminate false positives. Using the SOAR platform, our monthly alert count was reduced from 1,100 to 200 or 250. That was the best impact we have seen from implementing SOAR in our environment.

It has reduced our mean time to detect and mean time to respond, from 20 to 30 minutes to just 5 to 10 minutes. In cybersecurity, every moment can be a ticking time bomb for us. We need to get to a solution immediately, whenever any incident is triggered in our environment. SOAR has helped us a lot.

Using this platform has resulted in a better work-life balance for my team.

I use the solution for incident response and automation.

The product helps with workflow reduction. The manual efforts required have been reduced. It contributes to optimization. The extent of workflow reduction varies depending on the instance. Manual intervention is required for critical processes. If it is not critical, we can automate it.

I use Splunk SOAR to create automation for our SOC team. These automations integrate with third-party applications, which is a key requirement for our SOC.

Splunk makes creating playbooks simple with its GUI. We can build playbooks by dragging and dropping different elements, eliminating the need for complex coding.

The visibility of the playbook viewer is good. We can add custom code while developing the playbook if required.

Splunk SOAR provides end-to-end visibility into our environment.

Troubleshooting our cloud-native environment with Splunk SOAR is a breeze thanks to its intuitive graphical interface. Unlike traditional tools requiring command lines, Splunk SOAR lets us manage integrations and cloud access entirely within the user-friendly GUI, streamlining the process.

Splunk SOAR has significantly reduced our manual workload by automating many previously time-consuming processes. We only began to see the full benefits after about five months.

Splunk simplifies security investigations by offering pre-built processes and leveraging the rich functionality embedded within Phantom's alerts. This combination provides a powerful toolkit for investigators.

Splunk SOAR has significantly improved our security alert resolution efficiency. While the specific time saved depends on the individual case, we've seen a general reduction in resolution time from around 20 minutes to five minutes thanks to the variety of use cases it supports.

Splunk has reduced our mean time to detection by 15 minutes.

Our mean time to resolution is now down to five minutes.

Splunk SOAR streamlined our security operations by consolidating multiple tools. We've successfully integrated and replaced approximately 15 individual applications into a more unified environment.

I use Splunk to detect threats and conduct threat analysis. The solution monitors, models, and analyzes all security events in our cloud environment's production areas and mitigates threats.

Before we used Splunk SOAR, we didn't know how much traffic was coming in or what security threats were happening on our servers. We could not monitor the entire production environment. Splunk enables us to perform monitoring, threat hunting, threat analysis, and reporting on the risks and impact on our business. 

Splunk improves our business resilience because it's a powerful tool that can monitor our servers and improve our web business by reducing security threats.  Before Splunk, security threats heavily impacted our production environments. 

In the past, we had to monitor all our servers manually, but now that we have implemented SOAR in our production environment, we no longer need to monitor everything 24/7. It sends alerts to our emails, saving us time that we can spend on other tasks. It reduces our monitoring time by about 50 percent. Splunk speeds up our response time by 20 percent. 

Splunk can integrate and manage multiple solutions simultaneously. It has reduced our alert volume and improved our security. We can show our clients that we're monitoring all the production environments and mitigating events as they happen. It has improved our security posture and reduced the risk.

We use it for risk management. And, we're trying to automate our L1 and L2 agents' functionalities. Through automation, we're trying to reduce the effort that is put in by an agent.

The amount of time that our L1 and L2 agents used to take to do a simple task was about 40 hours per week. Using SOAR and automation we have reduced that to 10 to 15 hours per week. That is a big win. Building up the playbooks helps with the daily investigations for our agents and risk management team.

It has also helped to reduce our mean time to detection. Something that used to take, on average, 30 minutes now takes about five minutes. It really depends on the kind of event it is. And it has definitely helped free up our IT staff for other projects.

Splunk SOAR has also reduced our dependency on UBA, although we still use it. And similarly, while we still use Splunk Enterprise Security (ES) for threat detection, SOAR has reduced our dependency on that by using it for investigation. Of course, ES has to be there as it is receiving feeds, but the SOAR/ES collaboration is just a better way to function.

Splunk SOAR, formerly Splunk Phantom, is a powerful automation platform with a high security focus, but it is also usable for any other general tasks such as putting a server off the network, restarting services, performing health checks, performing data enrichment by collecting information from different sources and combining, analyzing, and providing precise information about several topics. It has a variety of options, and what can stop you is just your creativity.

Splunk SOAR has a user-friendly interface that simplifies playbook creation. While some initial training is helpful, the drag-and-drop functionality and pre-built code generation features make it accessible even for those without extensive coding experience. This ease of use allows teams to quickly automate incident response tasks, reducing the business impact.

Splunk SOAR helps us improve our data collection and automate operational tasks. While it enriches data, some actions require approval or additional information. For application outages, immediate action is crucial to avoid business impact, and time to respond is key to be able to identify the root cause of issues. For example, if a database server goes down, if the analyst doesn't check the issue right after it occurs, they may end up losing precious logs, which would help them identify the issue and avoid reoccurrence. Additionally, manual database tasks like service restarts or log checks are time-consuming. Splunk SOAR automates these tasks, enriching our log collection, running health checks, and generating reports for the database team. This allows for faster issue identification and resolution, ultimately contributing to high system availability and minimal customer impact.

It provides a comprehensive solution for our environment's health. Splunk offers two key products: Splunk as an observability tool that detects critical issues, and Splunk SOAR, an automation platform that enriches data and even automates remediation actions.

SOAR offers easy integration with various tools. We can leverage pre-built apps for common integrations or create custom ones. While Splunk integrations are automatic, SOAR's API allows us to send data from any observability tool using the SOAR API. This API offers different options to manage the platform, and one of the options is to create a container in SOAR, which can trigger the appropriate playbook based on a label name, simplifying integration with new tools and accelerating proof-of-concept deployments.

Implementing a SOAR platform significantly improved our IT operations. Previously, frequent application downtime overwhelmed our busy operations team, forcing them to prioritize and leave some issues unresolved. SOAR automation relieved this pressure by allowing us to create playbooks that automatically detect and fix recurring problems. While the initial setup required developing playbooks and standards, the resulting reduction in alerts and faster issue resolution freed up the operations team's time and had a major positive impact on our overall IT environment.

Our mean time to detect is within seconds. Before SOAR, manually detecting and resolving server issues was slow and unreliable. It could take hours for an overloaded team to identify a problem, and even longer to fix it, potentially impacting customers. SOAR automates this process, triggering immediate responses that take seconds, minimizing downtime, and ensuring a smooth customer experience.

Our mean time to resolution is improved. SOAR helps resolve issues quickly by automating tasks through playbooks. When an issue is detected, SOAR can run a playbook to fix it or provide more information to analysts, expediting resolution.

SOAR has significantly improved our efficiency by automating manual tasks. This frees our IT staff to focus on resolving issues faster and tackling more complex projects.

The primary use case is for our Security Operation Center. We use it for automation and responding to some of our cybersecurity alerts. It is being used for performance enrichment and automation on those events.

We do not use Splunk SOAR to predict things or try to predict things that can happen in the future. We are mainly using it to respond to things. It is more for responding to events that have happened.

We implemented Splunk SOAR because we had a lot of repetitive tasks that our analysts do. In our area, it was hard, and it still is hard, to find cybersecurity graduates and analysts, so any time that we can save for our analysts can be better spent.

There has been a lot of time-saving which equals to dollars-savings for the company. We have a lot of automation of repetitive tasks and things like that. We do not have to do things manually, so it saves a lot of time for our analysts. It is hard to measure the time savings because we are always developing or trying to develop new things. We are not that far along. We have been using it for three years but we have used it in production for maybe a year and a half. There is a big learning curve, so I am still learning. 

Our cloud endeavors are still in their infancy phase. We have not even started to look at that part yet. For our on-prem environment, there is definitely an advantage. There are a lot of features and capabilities not only from a security perspective. We have real-time alerting based on the system downtime and certain logs that are collected and things like that. I am sure we can apply it to the cloud infrastructure in the future as well.

We have definitely saved a lot of time with the things that we have automated. We have probably saved the amount of one analyst in a year.

In terms of Splunk SOAR's impact on our organization’s business resilience, it is on the way to getting there. This year and next year, we will definitely set that stage. We have some initiatives that are just starting that would definitely put us into that area. We have not crossed that bridge yet.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools. A simple example is the ability to use SOAR integrations and API integrations in all the different tool sets that we have. Our analysts can use those tools from Splunk instead of having to log in to each one of those tool sets to do things. It is saving a lot of time as well for our analysts.