Splunk SOAR Reviews

Splunk SOAR, formerly Splunk Phantom, is a powerful automation platform with a high security focus, but it is also usable for any other general tasks such as putting a server off the network, restarting services, performing health checks, performing data enrichment by collecting information from different sources and combining, analyzing, and providing precise information about several topics. It has a variety of options, and what can stop you is just your creativity.

Splunk SOAR has a user-friendly interface that simplifies playbook creation. While some initial training is helpful, the drag-and-drop functionality and pre-built code generation features make it accessible even for those without extensive coding experience. This ease of use allows teams to quickly automate incident response tasks, reducing the business impact.

Splunk SOAR helps us improve our data collection and automate operational tasks. While it enriches data, some actions require approval or additional information. For application outages, immediate action is crucial to avoid business impact, and time to respond is key to be able to identify the root cause of issues. For example, if a database server goes down, if the analyst doesn't check the issue right after it occurs, they may end up losing precious logs, which would help them identify the issue and avoid reoccurrence. Additionally, manual database tasks like service restarts or log checks are time-consuming. Splunk SOAR automates these tasks, enriching our log collection, running health checks, and generating reports for the database team. This allows for faster issue identification and resolution, ultimately contributing to high system availability and minimal customer impact.

It provides a comprehensive solution for our environment's health. Splunk offers two key products: Splunk as an observability tool that detects critical issues, and Splunk SOAR, an automation platform that enriches data and even automates remediation actions.

SOAR offers easy integration with various tools. We can leverage pre-built apps for common integrations or create custom ones. While Splunk integrations are automatic, SOAR's API allows us to send data from any observability tool using the SOAR API. This API offers different options to manage the platform, and one of the options is to create a container in SOAR, which can trigger the appropriate playbook based on a label name, simplifying integration with new tools and accelerating proof-of-concept deployments.

Implementing a SOAR platform significantly improved our IT operations. Previously, frequent application downtime overwhelmed our busy operations team, forcing them to prioritize and leave some issues unresolved. SOAR automation relieved this pressure by allowing us to create playbooks that automatically detect and fix recurring problems. While the initial setup required developing playbooks and standards, the resulting reduction in alerts and faster issue resolution freed up the operations team's time and had a major positive impact on our overall IT environment.

Our mean time to detect is within seconds. Before SOAR, manually detecting and resolving server issues was slow and unreliable. It could take hours for an overloaded team to identify a problem, and even longer to fix it, potentially impacting customers. SOAR automates this process, triggering immediate responses that take seconds, minimizing downtime, and ensuring a smooth customer experience.

Our mean time to resolution is improved. SOAR helps resolve issues quickly by automating tasks through playbooks. When an issue is detected, SOAR can run a playbook to fix it or provide more information to analysts, expediting resolution.

SOAR has significantly improved our efficiency by automating manual tasks. This frees our IT staff to focus on resolving issues faster and tackling more complex projects.

SOAR allows custom code to be written and integrates with various technologies through pre-built apps like Windows Remote Management or custom apps we can build ourselves like a secret retrieval app from our vault. Playbooks, built with drag-and-drop and custom functions, provide further flexibility for developers to tailor the solution to their specific needs.

While there have been improvements to the investigation process, particularly with the playbook data, the current log review method is cumbersome. Scrolling through massive, unsearchable logs is inefficient. Ideally, the system would offer search functionality or even AI-powered analysis to pinpoint issues quickly, saving time spent sifting through text.

SOAR's development efficiency can be enhanced by incorporating AI to assist in writing custom code, eliminating the need to start from scratch. This AI-powered approach would significantly reduce the time required to develop playbooks.

I have been using Splunk SOAR for over three years.

SOAR is stable. In the last three years, we only had it go down twice, which was related to a server issue.  

SOAR is designed to grow with our needs by allowing us to add more hardware to handle increased workloads. This makes it a good fit since scalability was a major factor in our evaluation. On top of that, SOAR's customizable platform ensures it can be tailored to our specific requirements.

During playbook development, we encountered technical issues with the playbook feature itself, requiring vendor assistance. Their expertise was invaluable. Not only did they resolve the immediate problems, but they also proactively suggested improvements to our SOAR platform coding for better speed and overall performance.

Positive

Having experience with various automation tools, including Microsoft Orchestrator, Ansible, Rundek, I find SOAR to be the most user-friendly. In fact, after exploring most market offerings, Splunk SOAR stands out for its comprehensive feature set, surpassing any other platforms we've previously used.

The deployment required one member from our team and one from the SOAR team.

Implementing Splunk SOAR was made significantly easier with the support and expertise of the vendor's team. Their deep knowledge of the platform and extensive deployment experience proved invaluable, allowing for a smoother and more efficient implementation process overall.

While the exact pricing for Splunk SOAR is not known to me, I've heard from some colleagues that it may be on the more expensive side compared to other automation tools. However, the general consensus seems to be that the investment in Splunk SOAR pays off once you start utilizing its capabilities and automating your workflows. By automating tasks and freeing up resources, Splunk SOAR can provide a strong return on investment in the long run, despite the potentially higher upfront cost.

I have evaluated different automation platforms, such as Microsoft Orchestrator, Ansible and Rundeck.

I would rate Splunk SOAR nine out of ten. I am deducting one point because it is tedious to go through the logs manually.

SOAR allows for cloud and on-premise deployment, and I favor the on-premise option for enhanced security. Since some automation has extensive access to our internal systems, any internet communication during operation raises the potential for breaches.

My use case for Splunk SOAR is security automation.

We are running a Splunk SOAR cluster. Three nodes in three different environments in a dev-test and prod environment.

The SOC team has been much less burdened since implementing Splunk SOAR. They're able to completely automate away some events. At the very least, they get so much information gathered from our automated actions that they're able to almost immediately take action if action isn't already taken by the playbooks that are being run.

Splunk SOAR has helped reduce our mean time to resolve. It has reduced, for example, ten-minute investigations into 30-second ones. Sometimes all our analysts need is a little bit of context, and they can immediately make a decision based on that. There are some events that we have where normally investigating them would take about ten minutes. We get a ton of those a day. I did the math and Splunk SOAR saves over 70 hours a week, which is massive. That savings is only for those types of events alone. In that context, it is a huge improvement.

Splunk SOAR has helped improve our business resilience. It's an extremely powerful tool. I do think that the ability it has depends on the people implementing it, though. The implementation needs to be good. If it's not, that's not Splunk SOAR's fault, that's the organization's fault. If they do it right, it is incredible.

Splunk SOAR has saved us time with alert triage. Even on simple events that might take ten minutes, we're taking that down by around 95 percent. Almost all events can at least have some sort of automation that saves minutes and every minute counts and saves us so much time.

Splunk SOAR has saved us time in threat response.

The most valuable features are the Splunk SOAR apps and playbooks. I am a Splunk SOAR developer, and my job is to make sure that integrations with third-party systems are done well. I give guidelines for how to properly make Splunk SOAR apps. These two features are essential in how the apps will work.

One area for improvement in Splunk SOAR is version control for Splunk apps. Currently, for Splunk playbooks, we can hook up a Splunk store to a Git repository with playbooks in it, and it will pull them down periodically, which is amazing. Splunk apps don't have that, and that would be extremely helpful because we do custom coding a lot. There are many vendors out there. And because there isn't source control, we need to emulate that same behavior, which causes us to do other things. For example, we need to create a Git repository somewhere on SOAR and create a clone job that periodically runs a Git pull action. After that, we bring all that SOAR data into that repository. We need to have a Git Hook that automatically tars the app we just created and then uses the API to automatically upload it. Because of that, now we have this app data that's being doubled up because we have SOAR apps in the Apps directory on the back end of Splunk SOAR, and we also have this Git repository, which holds all the same information. That could be highly simplified, and that is a big gap that would make my life and probably other developers' a lot easier. 

There is a specific situation that comes into place when we have a Splunk SOAR cluster we have to work with. If we also don't have it hooked up to an external Splunk Enterprise instance, trying to debug what's going on in the cluster is extremely difficult because there are 45 different log locations. That could be extremely difficult to try and find out what is going on with all the microservices that are being used in a Splunk SOAR cluster. I had to personally develop a tool to be able to monitor all those logs at once and then parse it out and query that log once we're done with whatever operation so that we can get a clear picture of what's going on in the SOAR cluster, which has been immensely helpful, taking hours off of debugging time to do that. It would be nice to have a tool like that natively available in Splunk SOAR to begin with. Even without the cluster, I believe it's over 30 log sources that could go wrong. 

Providing Splunk app developers and playbook developers Python Stub files so that way when they create custom code through their IDE, they can have IntelliCode suggestions. It could be dangerous for someone who is coding to constantly have to look back at the documentation and not see, for example, a Python dictionary where they are expecting it. In reality, it's a list, that could cause errors when a playbook runs or when an app runs, and that could be a potential incident that now goes unresolved or a serious issue. That's dangerous. Providing SOAR app developers with some Python Stub files that they can use for IntelliCode suggestions would also be helpful. Also having slight changes to the way that it's expected to create custom modifications to already existing apps on GitHub or Splunk base by essentially inheriting from the base app when we want to have custom modifications, and developers should have to explicitly override any methods from the base class that's there. That way, we're not modifying any of the underlying layers of the base app that's there. We could also hook it up to a Git Repository to receive those updates into the base app and then the custom app. This way we have these custom app features, we have all these extra things being put into it, still on the custom app end so we can have our features and the base app all in one. I think that'd be a novel solution.

I have been using Splunk SOAR for one year.

As a standalone instance, SOAR is extremely stable. I don't have any issues with it. The only reason there might be an issue is if we lack resources on the hardware itself, and that's more of a problem from an architecting, and engineering perspective, not exactly Splunk SOAR. When it comes to the Splunk SOAR cluster, it is pretty complicated. There are five different microservices, and if we have an issue there, we have 45 different log sources to get that info from, and it can be hard to debug it. If we have a problem, it can be hard to diagnose which microservice we might be having issues with.

Splunk SOAR scales well though when we get to I believe, more than five nodes in a Splunk SOAR cluster, it becomes a little bit unwieldy, and it takes long for things to happen. If we need to update something in the cluster, things can get slow and we have been told by professional services to try and keep it at three nodes because anything more than that is unwieldy as they have said. I believe that is a known issue with Splunk SOAR.

The technical support from Splunk has been good. Whenever we need to engage in professional services, they're always able to give us new information that we did not explicitly know, or they're able to validate what we need. Usually, when we talk to professional services of some kind, which is the main form of customer service I think that we use, it's usually quick and to the point in exactly what we need, which is fantastic. There have been times when we requested professional services, something we needed, and that was developed in-shop just for us, which is fantastic. The tool that was made to remove SOAR cluster nodes was requested by us, and then it became a feature later on. So that was amazing and helpful.

Positive

The initial deployment was extremely easy as a stand-alone instance. It's a straightforward process, especially for someone like me who has had to set up other servers containing security tools on them. In terms of setting up a cluster, I unfortunately haven't had experience setting up a cluster explicitly. I have had experience removing nodes from a cluster and with a new tool that was released, I believe, in version 6.0. It was made easier. When it comes to deploying Spunk SOAR, involves downloading the tarball, extracting it, running the pre-install script to ensure proper configuration, and then running the installation script. As long as system resources are sufficient, the installation itself should be quick despite the application's size.

The biggest metric that I've seen as a developer admin and DevOps engineer is the time saved. I don't think that on our end, we have set up the ROI functionality in SOAR yet, but I know that the timing has been massive. We should get it set up in  SOAR that way the customers see the value.

I would rate Splunk SOAR nine out of ten. It's a fantastic product it needs a few more features to make it amazing. The clustering does need to be simplified a bit. Version controlling for apps and making app development just a little bit easier for developers would take it to the next level. There's no other SOAR product that does what Splunk SOAR does as well. All other SOAR are frankly inferior, but it just needs that little bit of extra functionality to make it a truly great product.

The primary use case is for our Security Operation Center. We use it for automation and responding to some of our cybersecurity alerts. It is being used for performance enrichment and automation on those events.

We do not use Splunk SOAR to predict things or try to predict things that can happen in the future. We are mainly using it to respond to things. It is more for responding to events that have happened.

We implemented Splunk SOAR because we had a lot of repetitive tasks that our analysts do. In our area, it was hard, and it still is hard, to find cybersecurity graduates and analysts, so any time that we can save for our analysts can be better spent.

There has been a lot of time-saving which equals to dollars-savings for the company. We have a lot of automation of repetitive tasks and things like that. We do not have to do things manually, so it saves a lot of time for our analysts. It is hard to measure the time savings because we are always developing or trying to develop new things. We are not that far along. We have been using it for three years but we have used it in production for maybe a year and a half. There is a big learning curve, so I am still learning. 

Our cloud endeavors are still in their infancy phase. We have not even started to look at that part yet. For our on-prem environment, there is definitely an advantage. There are a lot of features and capabilities not only from a security perspective. We have real-time alerting based on the system downtime and certain logs that are collected and things like that. I am sure we can apply it to the cloud infrastructure in the future as well.

We have definitely saved a lot of time with the things that we have automated. We have probably saved the amount of one analyst in a year.

In terms of Splunk SOAR's impact on our organization’s business resilience, it is on the way to getting there. This year and next year, we will definitely set that stage. We have some initiatives that are just starting that would definitely put us into that area. We have not crossed that bridge yet.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools. A simple example is the ability to use SOAR integrations and API integrations in all the different tool sets that we have. Our analysts can use those tools from Splunk instead of having to log in to each one of those tool sets to do things. It is saving a lot of time as well for our analysts.

Surprisingly, the mobile app is valuable because it is very convenient for our on-call analysts to respond and get alerted to security alerts and events wherever they are. We are able to harness the power of Splunk SOAR and everything that we are doing, and we are also able to alert our on-call analysts 24/7. From their mobile phone, they can respond to those alerts. They do not necessarily have to have a laptop with them. That is one of the most convenient features or parts of Splunk SOAR that we use. This type of integration with the mobile app is not very common.

Unfortunately, not all of our analysts are iPhone users or iOS users. The mobile app is only supported on iOS. Our analysts who have Android do not have that benefit. That would be a nice thing to have so that we can have it across the board and not just for iOS.

I have been using Splunk SOAR for three years.

It is very stable. It is pretty rare that it goes down. It crashed just once last week.

This is an aspect that we have not yet explored. We have a single instance on-prem.

From my experience, Splunk support has always been top-notch. I would rate them a nine out of ten. One point that is missing is because of the bad experience that we had while starting out with Phantom. It was hard for the support to assist us. There were definitely some breakdowns in communication that resulted in delays.

Before SOAR, it was called Phantom. It was the same thing, and then they changed the name of it. We did not use any other solution previously.

It was a pretty rocky start. That was when it was Phantom, and there were a lot of problems. I had a lot of problems with Phantom. A lot of that was why we had hesitation with renewing Splunk SOAR. A lot of the problems were related to bad code and poor instructions and guidance. Some of it was things that we may not have done right, but a lot of it was related to code. It definitely got off to a rocky start. It was not as smooth as we anticipated the whole thing to be. 

Our environment is on-prem. We have some things in AWS, but I am not privy to the cloud aspect.

We deployed Phantom ourselves.

We renewed it this year. This year was the first time there was a dramatic increase in the price. It was kind of non-negotiable. It was just a high increase. We had internal communications, and it was definitely a surprise to us. In a short time frame, we renewed it this year. Prices are going up everywhere, but they are not always justifiable, at least not to our eyes. The pricing this year was definitely a big shock.

Instead of a gradual increase from time to time, it was just a big sticker shock increase. The price is never going to decrease again. I am not saying it was justifiable or not, but the message that was relayed to us and the unwillingness to negotiate at least to a more reasonable number were surprising.

The only one that we pursued was a product called Siemplify which has been bought out by Google since then. Our primary reason for going with Splunk SOAR was that we were already a Splunk customer. It made sense to wrap Splunk SOAR into that as well. We use Splunk ES. With Siemplify, the integration piece was lacking just because it was not a Splunk product.

I would rate Splunk SOAR a ten out of ten, especially as compared to other options out there, such as XSOAR and Siemplify. A lot of my decision is based on the fact that we were already a Splunk customer, so the integration was beneficial.

I primarily use the solution for incident investigations. 

We can make custom playbooks and use the Playbook Editor to do so. The Playbook is my favorite feature, it's quite useful. There are a lot of automation capabilities.

Its visibility is good. It's end-to-end. We can see incidents across our environment. We've been satisfied with the level of visibility so far. 

The automation helps save us time. We've saved a lot of time researching incidents. If we do resolutions manually, it can take up to 15 minutes. With Splunk's automation and Playbook, we can resolve issues within two to three minutes. 

We have Splunk integrated with other tools and systems. Some are using, for example, Carbon Black EDR. It's very flexible. It works with various third-party tools. Which we use depends on the customer. 

The solution provides good business resilience. It helps with real-time detection and resolutions. With automation, our real-time alerting is quite good. 

Splunk integrates with many products. It provides us with good information for us to be able to do our jobs.

We have been able to reduce the use of other tools. When we use Splunk, we tend to just focus on Splunk's findings, only. We do a lot of investigations using Splunk. It makes the process easier. 

We've noticed a reduction in security event volume. It's helped us to reduce a lot. We've been able to reduce the mean time to detect by 30% to 40%. It's also helped us reduce the mean time to resolve by almost 50% to 60%. We have a lot of customers and a lot of alerts typically, so we've always had a lot to deal with. 

I haven't had any issues with the solution so far. 

I've used the solution for three months.

The solution is really scalable. We are using it across multiple customers and handle multiple alerts. 

We are able to connect with support if we have issues. 

Positive

Right now, we also have IBM. However, mostly, we use Splunk. Our customers prefer Splunk over IBM thanks to the playbooks on offer. The appearance of Splunk is also better. Splunk has a strong reputation in the space. It makes investigations easier.

The deployment process is straightforward. Our deployment team will deploy it for customers. It will take two to three days, depending on our customer's servers. 

We can train employees on how to use Playbooks within two months. 

We help our clients deploy Splunk. 

The cost is as expected. It can be a bit high, however, we get a better rate between us and our third party. We provide services to clients if they purchase Splunk SOAR which gives them good value. 

I'd rate the solution nine out of ten. 

My company operates as an MSSP that takes care of the detection and response for our customers. Splunk SOAR is where our company does the alert processing, and it is also where our SOC does its work. I work on developing the playbooks and apps that we use.

The product has improved the working of our company since it has removed a lot of the tedious work that we had to do previously. Even some of the easy stuff gets automated. Our company's analysts can really focus their hours on work that requires critical thinking, creative skills, and other similar areas.

The most valuable feature of the solution is the playbook automation just because it allows us to reduce the manual actions that SOC has to handle. When it comes to some of the workbook functionality where the analyst has to take some manual action, we can guide that process through templates and other things.

I think some of the case management functionality could be improved. Improving the integration ecosystem can raise the quality of the bottom tier of the integrations so that they can work better out of the box. In general, our company is pretty happy with the tool.

I have been using Splunk SOAR for four years.

The tool's stability is fairly good.

When it comes to the scalability, I think we have seen some issues there, such as running into some hardware bottlenecks sometimes, but I am detached from that part of the deployment, so I can't go into details on the things I have seen, but I know there are some pain points for our company. As we scale up the tool in our company, we are not really sure how to scale up in a better manner.

The customer service and technical support have been great. We had some professional support come out when we set it up, and they were super helpful in helping us with the use cases and getting us stood up quickly. When our company reached out to the support team with some technical issues, I didn't hear any complaints about the responses from their end, so I think it was good.

I have not used any other solutions in the past.

I have done the deployment personally in my lab but not in a production environment.

My company evaluated Siemplify, which is known as Chronicle SOAR. My company has also evaluated Demisto and Cortex XSOAR. Our company is heavily invested in Splunk's ecosystem, and I think that was the biggest draw, especially since we use Splunk Enterprise Security and similar tools, so adding another Splunk tool made sense for our company. I think the product felt mature, and the plug-in ecosystem was where we needed it to be, along with the ability for the community to submit and create their own integrations and apps, which was interesting for us.

When it comes to Splunk SOAR's ability to provide end-to-end visibility into our company's cloud-native environment, I would say that we are not using the cloud portions of it. I don't know if that's super relevant to what we are doing in our organization.

I am 100 percent sure that Splunk SOAR helped reduce your mean time to resolve, but I don't have any metrics on hand but I know it has dramatically decreased.

The tool has helped with the business resilience part. I think having it as a platform has been a solid portion of the product that we offer to people.

Spunk SOAR has definitely saved my time in alert triage. When some of the tedious enrichment and lookup stuff happens, the analyst doesn't have to deal with such areas, and they can just jump in and see relevant data all in one pane of glass, which has been super helpful for speeding things up.

The unified platform helps consolidate networking, security, and IT observability tools. The consolidation of tools impacts our organization as it just helps focus the SOC analyst on a single unified place to find information. It helps keep things streamlined and regular so they know where to look for certain stuff they want. It really helps people with training. It is a really easy tool to onboard people into because everything is right there in the product itself.

The product is really great. I would love to see more SOAR innovation going into the tool, especially the on-premises version since it is what we use in our company. I feel the tool needs to encourage continuous improvements, but as a product itself, my company is really happy with the solution.

I rate the tool an eight out of ten.

We primarily use the solution for security automation. It's used to investigate and remediate threats.

Normally, we would have to manually investigate events. However, with Splunk, everything is automatically investigated. 

The playbooks are great. They are very useful. We can define rules, including what the remediation should be. Everything gets clearly defined. You can set up different types of automation. It helps increase efficiency and productivity.

The solution provides us with end-to-end visibility.

It's easy to visualize and troubleshoot our cloud-native environment using Splunk. There's simple product management and quick detection and response that helps minimize risks. I can handle continuous monitoring from an operation control center. 

We can integrate with other systems. It's helped minimize incident tickets and my overall response time has been lowered. We began to realize benefits within three to four months of deployment. 

Splunk is very easy to use during an investigation. It's very straightforward. 

We've been able to reduce our security event volume by 50%. We've also been able to reduce our mean time to detect by about 25%. It's helped us save time and consolidate tools in our environment so that we can minimize staff appropriately. The automation makes all of this possible.

The number of playbooks on offer should be increased. 

I have been using the solution for two years.

The solution has consistently been stable. 

We have about 300 people using the solution. It's scalable. We may increase usage in the future. We want to get the enterprise license. 

Technical support has been good. 

Positive

We did not previously use a different solution. 

It was easy to implement the solution. It took our team about four months to be trained on how to use the playbooks. 

We had two people managing the deployment process. One handled configuration, and the other handled integration. 

No maintenance is required for the product once implemented. 

We handled the implementation in-house. 

I'm not aware of the exact pricing. 

We did not evaluate other options. 

It's a valuable solution. It enables SIEM capabilities. We're able to orchestrate when events are happening, and this minimizes event tickets. We are able to handle security challenges while gaining good visibility.

I'd rate the solution nine out of ten. 

I'm using it mainly for SOC automation and reporting. It's for incident and threat modeling, incident reporting, and triage.

I come from a cybersecurity background and I used to work on the tickets for the security alerts we received from various sources, including Splunk and other SIEM tools. The major challenge was that we were occupied with a lot of noise and activities like validation of IP reports, DNS checks, and traffic monitoring. These were redundant activities that every analyst had to do. We wanted to stop these kinds of activities. 

Splunk SOAR has multiple integrations with various tools, such as VirusTotal. Once we purchased those tools from the respective owners and automated them, the kinds of redundant activities we were having to do were almost immediately stopped.

Also, the ingestion of multiple log sources together helped us eliminate false positives. Using the SOAR platform, our monthly alert count was reduced from 1,100 to 200 or 250. That was the best impact we have seen from implementing SOAR in our environment.

It has reduced our mean time to detect and mean time to respond, from 20 to 30 minutes to just 5 to 10 minutes. In cybersecurity, every moment can be a ticking time bomb for us. We need to get to a solution immediately, whenever any incident is triggered in our environment. SOAR has helped us a lot.

Using this platform has resulted in a better work-life balance for my team.

One of the features I like most is playbook creation, and custom functions are another. 

When you design a playbook, you can integrate multiple log sources and define rules. That used to be done by the analysts by going to the respective tools and doing tasks manually. Now, with playbook design, writing down those rules is a one-time activity that a SOAR admin has to do. After that, the platform automatically compiles all these activities and, based on the results, the analyst only has to indicate whether the result is a true or false positive. That reduces the time and effort involved. Our KPIs have greatly improved. An incident that used to take 15 to 20 minutes, was reduced to five minutes. This helped us speed up our response to any alert, whether it was a true positive or false positive.

Another of the best parts of the SOAR platform is its ability to integrate with other systems and applications. It provides API integrations and, through them, I can limit the rights for the tool, which is good. If I want to integrate any of the applications with CrowdStrike, but only for incident-review policies or just to review the work automation, I can grant rights only for those purposes. That is one of the best features available in SOAR. It is very easy to implement and very user-friendly.

The visibility of the solution’s playbook viewer depends on the right you assign to the analyst. SOAR has the flexibility to distinguish between the roles of analyst and owner. If the analyst's role is to just work on a ticket, they cannot view the playbook design platform. That is limited to the owner. That can be both a good and bad thing.

A major problem I have faced in SOAR's rights distribution is roles and responsibilities. Suppose I am initially granted user rights or analyst rights, but later on, I also get admin rights. SOAR is unable to amend the limitations of my role. I raised a support ticket with Splunk about this. They said it's a bug in their 5.3.5 version. To fix this, I had to reinstall the entire platform from scratch, just to amend the rights and responsibilities of one role. This bug was not fixed.

Also, the latest GUI is terrible. The previous one was better.

Another point is that while using Splunk SOAR in an investigation is not difficult, there are some complex parameters. We have SOAR case management, but the licensing is going to put a big hole in your pocket. Also, there is an issue with investigation node addition. When you are doing node additions you cannot grant the entire environment to have SOAR visibility into the incident. So when you integrate it with an ITSM tool, like ServiceNow or Jira for ticketing purposes, there is a challenge. When you do nodes for investigation on a regular basis, sometimes it does not update our ServiceNow platform, which is terrible. It is a redundant activity for an analyst to update that in the case management as well as in the ITSM tool. Although SOAR provides integration, the functionality of investigation and nodes is terrible when it comes to integration.

An additional area for improvement is custom function creation. It's terrible. A newbie cannot create custom functions right away. They would require a solid understanding first.

Also, the reporting is really awful. If I want to do a report for a customized time period, such as the last three days or the last four days, or from the 10th to the 12th of June, that is not available in SOAR at all. That kind of feature is available in Cortex XSOAR. Reporting is a real challenge.

I have been using Splunk SOAR for four years.

It's a stable environment. I don't have any complaints about it in terms of its stability.

Aside from the issue I described where I started with an analyst's role in the solution and then was granted an admin role but the privileges remained those of an analyst, and I had to reinstall the entire platform, overall, the scalability is good.

We have contacted their tech support many times. They are readily available if I raise a P-1 ticket, because SOAR is not something we can work without. Their support is good and more capable than the SME we hired.

Neutral

Before SOAR was purchased by Splunk, it was named Phantom and that is what I have worked with most of the time. I have also worked on Demisto, which is now Palo Alto Cortex XSOAR. That was a bit more user-friendly compared to Splunk SOAR.

The initial deployment of SOAR is very complex. In my previous company, the deployment took me almost 10 days, and that was with a Splunk SME sitting with us. We paid them money to have the SME, but even he was unable to do what we needed to be done. Later on, we raised a support ticket with them and there were multiple escalations from our upper management to the Splunk management team. They then sent a good technical guy and he fixed the issue within five minutes. Before that, we were unable to do the DR instance. It took around 10 to 15 days just to fix that.

It's very difficult to install. No newbie could install SOAR on his own. He will require support. Here, I'm specifically talking about the later versions, not Phantom, rather once it became Splunk SOAR v5.3.5.

We had three people involved.

There is some maintenance. For example, it was using Python 2.7 and then there was the decommissioning of that version and the move to Python 3.x. That meant upgrading all the playbooks.

It's very overpriced because it is based on the number of users. There is no bulk licensing.

My advice would be to negotiate the cost. And if your organization is on the smaller side, with between 200 to 500 employees, you should not purchase it because it will blow up your finances. A bigger environment, with 2,000-plus employees, can go with the Splunk SOAR solution.

And if you are going with this solution, you should confirm what support they are going to provide, such as whether they are going to provide training credits or not. Sometimes they don't provide Splunk credits for training. Any newbie who is going to work on this will find it terrible to work in this environment. He will not be able to work without guidance. Other SOAR solutions, like Demisto (Cortex SOAR) are very user-friendly.

We were using Splunk primarily to ingest data from different sources and do an analysis based on its information. We use Splunk SOAR now because we had some incidents where end users were trying to send a bulk of emails from their office email address to their personal email address. SOAR will help us based on the configuration we do. 

When you use your company email address to send emails to your personal email address or elsewhere, you're trying to link the complete confidential data. It's a risk. SOAR is the first step for DLP. We can have alerts set up where we can see if somebody's trying to send more than a fixed number of emails. The next steps happen in terms of implementing DLP.

I'm the director. I have a technical team who works on it. I give instructions on how to implement it. We are in the beginning stages.

I like the interface. 

From what I heard from the team, it's pretty easy to create playbooks. With the app, you can easily view an app code. You can look at the log results and troubleshoot. The app can be enabled to suit your needs. As our SOC evolves, we can make changes or customize it according to our needs in SOAR.

SOAR offers end-to-end visibility across our full environment. It really depends on what sources we are ingesting. If you don't have data sources, ingesting into Splunk, which does not cover end-to-end, then, obviously, SOAR will not give you what you're looking for. SOAR will help the best depending on what you ingest into Splunk.

The ability to troubleshoot with SOAR is excellent. 

Its ability to integrate with other systems and applications in our environment is pretty easy. Sometimes if we see any complexity we try to involve a consultant to help us. Everything is through the built-in app. Splunk can connect to any assets through the built-in app. It could be in a platform, firewalls, or endpoints. It's easy if it's an app integration.

We will slowly see improvements in our business resilience once we have everything configured fully.

SOAR saved time in alert triage by around 30%.

SOAR is easy to use in an investigation. It also helped to reduce our security event volume by 50%.

It reduced our mean time to detect by 60-70%.

We have seen time to value. It's a work in progress.

We can set up alerts and get emails, so we can immediately respond to whatever data source or issue is causing it.

I would like to have a better user guide to explain how to use it. 

The font used in the interface could be changed and made easier to read. 

We have been using SOAR for a few months.

I would give stability and scalability a nine out of ten.

We have not used support for SOAR yet. 

The deployment is easy. It took a few hours to get up and running. Two people were involved in the deployment. 

It's expensive. The price is high but the product is good. 

It's on the cloud so it doesn't require maintenance. 

I would recommend Splunk SOAR. I would rate it a nine out of ten.