We use it for risk management. And, we're trying to automate our L1 and L2 agents' functionalities. Through automation, we're trying to reduce the effort that is put in by an agent.
Senior Technical Specialist at a financial services firm with 10,001+ employees
Automation we have implemented has cut our agents' workload significantly, but playbook editor needs some work
Pros and Cons
- "It's pretty easy when it comes to setting up assets. If you want to fetch emails or call a REST API, you can set up an asset and grab that information."
- "Creating playbooks using the solution’s playbook editor, for me, is very cumbersome. There have been instances where I have said to myself that I just don't want to use this editor. I might just use a code block and write my own code within it... The functionality in the playbook editor is 80 percent there, but that 20 percent is still lacking. They could make it more efficient."
What is our primary use case?
How has it helped my organization?
The amount of time that our L1 and L2 agents used to take to do a simple task was about 40 hours per week. Using SOAR and automation we have reduced that to 10 to 15 hours per week. That is a big win. Building up the playbooks helps with the daily investigations for our agents and risk management team.
It has also helped to reduce our mean time to detection. Something that used to take, on average, 30 minutes now takes about five minutes. It really depends on the kind of event it is. And it has definitely helped free up our IT staff for other projects.
Splunk SOAR has also reduced our dependency on UBA, although we still use it. And similarly, while we still use Splunk Enterprise Security (ES) for threat detection, SOAR has reduced our dependency on that by using it for investigation. Of course, ES has to be there as it is receiving feeds, but the SOAR/ES collaboration is just a better way to function.
What is most valuable?
It's pretty easy when it comes to setting up assets. If you want to fetch emails or call a REST API, you can set up an asset and grab that information. Of course, we need to do some improvisation as far as coding is concerned, but you can just set up an asset such as O365. Or, if you are looking for any of the threat feeds, you can just set up an asset and they're readily available. You can then grab that particular information or those logs and bring them into SOAR.
Another good aspect is SOAR's ability to integrate with other systems and applications. We haven't faced any challenges with that. It's pretty simple and easy.
And although I'm more of a developer as opposed to an end-user, the reviews that we get from our end-users are that they picked it up pretty quickly. Based on that feedback I would say using SOAR for an investigation is pretty easy and convenient.
What needs improvement?
Creating playbooks using the solution’s playbook editor, for me, is very cumbersome. There have been instances where I have said to myself that I just don't want to use this editor. I might just use a code block and write my own code within it. I've tried using the editor for some of our playbooks, but I find it's cumbersome. It's easy to drag things in the GUI, but for the actual coding part and joining those bits in a full code, it's not as good as I would like. They have tried to make it as simple as possible, but its functionality is not up to the mark.
The functionality in the playbook editor is 80 percent there, but that 20 percent is still lacking. They could make it more efficient.
Buyer's Guide
Splunk SOAR
October 2024
Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,763 professionals have used our research since 2012.
For how long have I used the solution?
I've been using Splunk SOAR for almost two years.
What do I think about the stability of the solution?
Initially, there was some lagging, but there are no issues at all now.
How are customer service and support?
I'm pretty impressed with Splunk's customer support. They're pretty responsive and I appreciate that.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We were using Phantom, which is a Splunk product, but they asked every customer to migrate from Phantom to SOAR. In my opinion, it's still the same thing, but in a more improvised way.
How was the initial setup?
It is a cloud solution for us. The deployment was in between straightforward and complex.
Training our SOC team to use the playbooks happened pretty quickly. After a couple of weeks, we were up and running.
We have somewhere between 30 and 50 users of SOAR, and there is no maintenance on our side.
What about the implementation team?
Splunk employees helped us out.
What was our ROI?
It took us four to five months to see value from SOAR, it didn't happen right away. But that was because we were still building up the environment, including the playbooks.
What other advice do I have?
Initially, we were trying to use it as a case management system, but after a lot of development, it wasn't up to the mark for the end requirements that we had from the business for that. SOAR is more of an orchestration and automation tool. Using it for case management was not appropriate on our end.
My advice is that if you are already using other products from Splunk, like Splunk ES or Splunk Core, first try to refine your logs to make them SaaS-compliant. I don't think SOAR accepts a SIEM model, it's more of a SaaS. Start looking at the logs and making them compliant if you want to bring some of your logs into SOAR. Also, spell out the integrations you require, the type of functionality you want to use it for.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Data Engineering Sr Analyst at Accenture
Automates many of your threat-related activity and give you alerts based on the criteria
Pros and Cons
- "The solution’s dashboard is really good and customizable. It also has a good UI."
- "The application does not work properly and does not pass the log-based configuration. I feel that some kind of review should happen in the application. This review should validate things so that we can get the right information. Splunk does not tell us where the IP address is associated with."
What is our primary use case?
The solution provides information on user accounts. The solution has playbooks that check the user with server ID. It checks the domain name and IP address of the web page.
How has it helped my organization?
The solution has helped my company in many ways. It gives us information on the IP or server that is related to physical services. The tool also gives us alerts.
What is most valuable?
The solution’s dashboard is really good and customizable. It also has a good UI.
What needs improvement?
The application does not work properly and does not pass the log-based configuration. I feel that some kind of review should happen in the application. This review should validate things so that we can get the right information.
Splunk does not tell us where the IP address is associated with.
For how long have I used the solution?
I have been using Splunk SOAR for more than one year.
What do I think about the stability of the solution?
I would rate the solution’s stability an eight out of ten.
What do I think about the scalability of the solution?
I would rate the solution’s scalability a ten on ten. There are more than twenty users of the solution in our company. We plan to increase the usage.
How are customer service and support?
I would rate the solution’s support around seven to eight.
How would you rate customer service and support?
Positive
How was the initial setup?
The solution’s setup is easy.
What was our ROI?
The solution gives us better ROI.
What's my experience with pricing, setup cost, and licensing?
The solution’s pricing is costing at some points.
What other advice do I have?
I would rate the overall solution a nine out of ten. The tool automates many of your threat-related activity and gives you alerts based on our criteria. This solution is definitely useful. The product gives us the power to handle anything.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Splunk SOAR
October 2024
Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,763 professionals have used our research since 2012.
Consultant at HCL Technologies
Enables optimization by reducing manual intervention and increasing automation in the workflow
Pros and Cons
- "The product provides 100% automation for certain processes."
- "The solution must provide more AIOps to improve predictability."
What is our primary use case?
I use the solution for incident response and automation.
How has it helped my organization?
The product helps with workflow reduction. The manual efforts required have been reduced. It contributes to optimization. The extent of workflow reduction varies depending on the instance. Manual intervention is required for critical processes. If it is not critical, we can automate it.
What is most valuable?
The product provides 100% automation for certain processes. It needs no manual intervention. We can integrate various tools like VirusTotal and ServiceNow. We can automate all the tasks. It is one of the best things about the tool. It also provides workforce protection.
Whenever we get any alerts or make any configurations, we develop workflow automation using the playbooks. We can fully automate some of the security incident resolutions. We can also do identification and redirection using the product.
I have integrated Splunk Phantom with Splunk Cloud. Previously, I used it with Splunk on-premise to get the logs into Splunk for tracking and audit purposes. Since Splunk is a SaaS-based product, it has certain maintenance windows. Over time, the vendor does some maintenance during off-production hours.
Creating playbooks using the solution’s playbook editor is not tough. For someone who knows the solution, I rate the ease of creating playbooks as four out of five. The solution’s playbook viewer provides full visibility. The product provides different integrations. We can easily integrate the tool with VirusTotal, ServiceNow, and the asset and identity management system.
The product is somewhat easier to use in an investigation. We have been able to identify the false positives using the product. The tool has helped reduce false positives by 30%. Splunk SOAR has helped reduce our mean time to detect by 10% to 15%. Splunk SOAR has a major impact on our meantime to resolve. Our mean time to resolve has been reduced by 35% to 40%.
I have integrated VirusTotal with Splunk SOAR. Instead of doing manual checks, I can easily get the score by integrating the tool with Splunk SOAR. I have also synced Active Directory with the asset and identity management system.
It's been a long time since we have implemented Splunk SOAR. It brings value to our organization. Before Splunk SOAR, everything was done using manual intervention. We had to educate the SOC team on how to do tasks. We also had to create playbooks for them. With Splunk SOAR, we only have to educate the team about how things are done so that they can perform a manual intervention when there is a failure, which is rare.
After deploying the product, we had to provide some training to the SOC team. After getting trained, it was hands-on. Along with other Splunk solutions, Splunk SOAR provides the resilience to face any issues and hardships. We easily cope with downtimes.
Splunk SOAR offers us end-to-end visibility across our environment. It depends on how much we utilize it. Visualizing and troubleshooting our cloud-native environment using Splunk SOAR is somewhat easy. I have to coordinate with the Phantom administrators if there is any issue. I work mostly on playbook development and integrating it with security instances.
What needs improvement?
The solution must provide more AIOps to improve predictability.
For how long have I used the solution?
I have been using Splunk SOAR for three to four years.
What do I think about the stability of the solution?
The tool is stable because it is completely SaaS-based.
What do I think about the scalability of the solution?
The SOC and engineering teams use the solution. The engineering team uses it to automate tasks. We have around 30 to 40 users. We were not using the tool completely initially. Once we started using it, we scaled it. We have also increased the number of product licenses. Our clients are enterprise-level businesses.
How are customer service and support?
I've been using Splunk products for a long time. Overall, I am pretty satisfied with the quality of service of the support team.
How would you rate customer service and support?
Positive
How was the initial setup?
Splunk SOAR is SaaS-based. The deployment takes a few months to stabilize. We have a Splunk team that manages the deployment. Two to three people are involved in the deployment.
What's my experience with pricing, setup cost, and licensing?
Everything good comes with a price. The tool is not cheap. However, if we use it to its full potential, it will be beneficial.
What other advice do I have?
Overall, I rate the product an eight out of ten.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Last updated: Jun 10, 2024
Flag as inappropriateDirector of Security Engineering and Operations at a legal firm with 1,001-5,000 employees
We can enrich alerts by pulling in more information about each user
Pros and Cons
- "I like the way Splunk interacts with various systems via the API. The ability to integrate Splunk with our ticketing system has been an immense help because we can maintain our workflow while blending Splunk with our support desk and other ways that we track work."
- "We have playbooks written to extract these events and put them into the workflow since it wasn't structured as expected. It was a miss for us. We couldn't figure out why it broke or what actually happened there. It was something in this feed with legitimate and security events, so we tried to understand the names and what we would call them."
What is our primary use case?
My company has two use cases for Splunk SOAR. We use it to enrich alarms by pulling in outside sources of information. Splunk can also automate actions while ensuring they are structured and reproducible.
How has it helped my organization?
With SOAR, you build a workflow, so you think ahead about all the steps that can be automated for a specific type of investigation. You need to do a decent amount of work in advance so that it does exactly what you tell it to. We need to gather a lot of essential details for our incidents. For example, if we're investigating a suspicious email, we need to gather a lot of information about who the user is.
We can enrich alerts by pulling in more information about each user. We can see their locations, roles, etc. Having that knowledge may influence our decisions or analysis. We can also submit files to be reviewed and get the results. It's akin to a doctor ordering diagnostic testing. The doctor can use the results to make decisions.
Splunk has benefited us from that perspective, but it takes some effort upfront to think about the flow and build it out. It reduces some of our manual research by offering additional context for events. I can pull the files, automatically submit them to a sandbox, have it run, and get the results from the sandbox. I don't have to notify one of my engineers and tell them to get this file I submitted to the sandbox.
It also improves ticketing because we can notify users when suspicious emails are quarantined and ensure a ticket is associated with it. We constantly track the work. We can close the ticket when the issue is resolved and release the email if it's legitimate. Splunk helps us document the entire process.
Splunk reduced our detection time a little by helping us quickly differentiate between an actual event and a false alarm. I don't view SOAR as a detection mechanism in itself. The events still occur. It helps enrich alerts so we can distinguish between actual events and noise.
For every event, it saves the responding staffer about 15 to 20 minutes because they need to do less data entry. They need to do the research and follow our procedure for a ticket. It takes time to assign a ticket and make entries. Finally, they need to perform an assessment and close the ticket.
Splunk SOAR frees up our staff to work on other things to a degree. There is always more than enough work, and somehow the volume still feels like it's always crazy. Still, it allows people to do some other tasks. It will enable my engineers to focus on more thought-provoking problems instead of menial tasks. I want them to spend time learning the underlying mechanism in case SOAR goes down.
If Splunk is unavailable for whatever reason, I always want to have someone who understands the mechanics of what it does. At the same time, it improves retention if you can eliminate some mind-numbing work and allow them to focus on challenging items. Your employees will be happier in general. They can do some more unusual, engaging work that enables them to learn and grow.
We couldn't consolidate any tools by using Splunk SOAR because everything was manual before we implemented it. We didn't have an automation tool.
What is most valuable?
I like the way Splunk interacts with various systems via the API. The ability to integrate Splunk with our ticketing system has been an immense help because we can maintain our workflow while blending Splunk with our support desk and other ways that we track work.
What needs improvement?
Sometimes we flag events based on conditions in the app or service that is sending us the feed, and we focused on a couple. We get some normal events, but we also see some security issues occasionally in the same feed. I don't know if they injected this or if this was the first time we saw it. There was another type that was security-related, but we didn't know about it before.
We have playbooks written to extract these events and put them into the workflow since it wasn't structured as expected. It was a miss for us. We couldn't figure out why it broke or what actually happened there. It was something in this feed with legitimate and security events, so we tried to understand the names and what we would call them.
It was a unique time. That goes back to an inability to detect these kinds of events. API documentation is typically a weak spot. Many vendors focus on the product first and save the API information for the very last.
Splunk's integration isn't bad. However, it comes down to which APIs are available. For example, I would like to automate file extraction, and a particular vendor seems to have an API that should do that, but I can't. You're at the mercy of the vendors. While APIs probably leverage more than ever, it's still like pulling teeth to get some vendors to support it correctly. Nevertheless, it's highly beneficial when it works.
Depending on the playbook, it can sometimes get a little crazy and overwhelming, but I think it's generally okay.
For how long have I used the solution?
I have used Splunk SOAR for about a year.
What do I think about the stability of the solution?
Splunk is relatively stable. We had an issue early on. It was a bug. Splunk sorted it out. Our uptime has been consistent.
What do I think about the scalability of the solution?
We haven't had any issues with scalability.
What was our ROI?
It took a little time before we realized Splunk SOAR's value. I have one engineer who dedicated himself to building many of our playbooks and a lot of the automation that we have. Another engineer is only starting out.
You need to have the right mindset so that you don't get scope creep. It's critical to manage what you want to do because you're dealing with a blank slate. There are costs like computation time, but it's relatively straightforward. You need to be thoughtful and take your time to do everything in small chunks. It took us a while to get going with SOAR because we have to integrate our devices. It isn't a turnkey solution.
What's my experience with pricing, setup cost, and licensing?
I don't remember Splunk SOAR's price off the top of my head. Still, I believe it was a solid value because of the time saved, consistent results that are reproducible, integration with multiple systems, etc. The benefits justify the cost.
Which other solutions did I evaluate?
We didn't seriously consider other options. We looked at what was happening in our environment, and our SIEM is a hub for our security operations. Palo Alto is another vendor we use, so we briefly looked at their SOAR solution. However, it wasn't in the right position to work with the Splunk piece. Splunk gathers all the log material. We can act on that and interface with all of our key security devices because they have rich associations with multiple security vendors. It made more sense for us to focus on that.
What other advice do I have?
I rate Splunk SOAR a nine out of ten. If you're thinking about implementing the solution, you should consider which events will save you the most time. Think about the procedures you're following today and where you can benefit the most from automation.
The second piece is thinking about the other solutions involved and the capabilities they offer. Do you have the API access to automate what you want? Your success depends on those vendors and sorting that stuff out. You must also approach your SOAR playbooks and workflows in a modular way. Don't try to handle everything upfront.
It's best to automate piece by piece. You don't need to tackle an entire ecosystem right off the bat. Take what you can and constantly improve it as you grow more comfortable. Splunk SOAR's strength comes from its interactions with other systems. Ensure that you're fully leveraging that.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Information Security Analyst at a healthcare company with 1,001-5,000 employees
It's a powerful tool that can monitor our servers and improve our web business by reducing security threats
Pros and Cons
- "Splunk has many features that make work easier, and it's simple to implement in a large production environment. Splunk collects a massive amount of data from cloud servers and handles it perfectly."
- "The dashboard could be improved and some other features. SOAR should integrate network capabilities, allowing us to also monitor the WLAN network. Splunk is also expensive and difficult for beginners to learn. It's hard for a new user to figure out how to visualize old threat data. It took two to three months to learn with hands-on experience how to use the dashboard, visualize events, and analyze threats."
What is our primary use case?
I use Splunk to detect threats and conduct threat analysis. The solution monitors, models, and analyzes all security events in our cloud environment's production areas and mitigates threats.
How has it helped my organization?
Before we used Splunk SOAR, we didn't know how much traffic was coming in or what security threats were happening on our servers. We could not monitor the entire production environment. Splunk enables us to perform monitoring, threat hunting, threat analysis, and reporting on the risks and impact on our business.
Splunk improves our business resilience because it's a powerful tool that can monitor our servers and improve our web business by reducing security threats. Before Splunk, security threats heavily impacted our production environments.
In the past, we had to monitor all our servers manually, but now that we have implemented SOAR in our production environment, we no longer need to monitor everything 24/7. It sends alerts to our emails, saving us time that we can spend on other tasks. It reduces our monitoring time by about 50 percent. Splunk speeds up our response time by 20 percent.
Splunk can integrate and manage multiple solutions simultaneously. It has reduced our alert volume and improved our security. We can show our clients that we're monitoring all the production environments and mitigating events as they happen. It has improved our security posture and reduced the risk.
What is most valuable?
Splunk has many features that make work easier, and it's simple to implement in a large production environment. Splunk collects a massive amount of data from cloud servers and handles it perfectly.
It manages the whole thread of data security logs and visualizes the data, making it easier to view everything. Splunk gives you end-to-end visibility of your on-prem environment, enabling you to troubleshoot issues easily.
Splunk integrates easily with the AWS cloud and also other clouds like GCP and Azure. It quickly and efficiently captures all the logs from the cloud just like it was capturing logs from your on-premises environment.
What needs improvement?
The dashboard could be improved and some other features. SOAR should integrate network capabilities, allowing us to also monitor the WLAN network. Splunk is also expensive and difficult for beginners to learn. It's hard for a new user to figure out how to visualize old threat data. It took two to three months to learn with hands-on experience how to use the dashboard, visualize events, and analyze threats.
For how long have I used the solution?
I used Splunk SOAR for about a year at the company I just left.
What do I think about the stability of the solution?
I rate Splunk SOAR eight out of 10 for stability.
What do I think about the scalability of the solution?
I rate Splunk SOAR nine out of 10 for scalability.
How are customer service and support?
I rate Splunk support eight out of 10.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I previously worked with Wazoo, and Splunk is a much better SOAR solution.
How was the initial setup?
Splunk SOAR is deployed on the cloud. The initial deployment wasn't complex, but implementing it on our production servers was a bit difficult because we had to deploy agents to more than 60 servers. It requires a little maintenance, such as upgrades and changing the dashboard. Installing it to a new production server takes a day to reconfigure.
What was our ROI?
Once Splunk is fully deployed, we can realize the full benefit. Implementing the solution across all our servers took a week.
What's my experience with pricing, setup cost, and licensing?
I rate Splunk SOAR two out of 10 for affordability. Splunk is a fast enterprise tool, but it costs too much. At the same time, it's worth what we pay, in my opinion. We can efficiently perform all the functions and tie together the data. It's the perfect tool for our needs.
What other advice do I have?
I rate Splunk SOAR eight out of 10. I recommend Splunk if the company can afford it. It's suitable for a large organization that requires security monitoring. It's the best tool for threat hunting and analysis.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Sep 11, 2024
Flag as inappropriateSecurity Manager at a financial services firm with 5,001-10,000 employees
The Smooth User Experience Currently Offered Can Further Be Enhanced By Offering Customization Options To Its Users
Pros and Cons
- "Before its use, analyzing each email would take at least 15 to 20 minutes, with some complex cases taking up to 30 minutes...With the automation provided by Splunk Phantom, we could significantly reduce the amount of time and human effort required to complete this task."
- "The technical support for the Splunk SIEM solution was average."
What is our primary use case?
As part of the cybersecurity incident response team, we were responsible for handling phishing emails related to business-as-usual operations. It was a manual process that would include five to six checks to determine the category of the email, its legitimacy, if it was malicious, and if it was an impersonation or a phishing email. We also worked on a use case for our infrastructure's proxy solutions. End users would request that certain websites be unblocked, as they had been blocked by the proxy's default policy or categorically blocked by the proxy. For this, we evaluated publicly available information about the website and the justification provided by the users, to determine whether the website should be whitelisted or made accessible.
Then, we implemented the automation process to simplify such tedious processes. In addition, we had a manual process in place for our threat hunting and threat intelligence platform, where we monitored leaked data on the dark web. This was documented as a use case. Our account management team also conducted weekly checks on the status of accounts. The process also made the team check if they were logged in on their accounts and if the account was disabled, which were manual processes that were later integrated into Splunk SOAR.
How has it helped my organization?
As a security analyst in the SOC center, I have seen the impact of implementing Splunk SOAR on our phishing email analysis process. Before its use, analyzing each email would take at least 15 to 20 minutes, with some complex cases taking up to 30 minutes. Of all the emails received, 30% were complex, 50% were average, and 20% were straightforward and would only take five to ten minutes to analyze. With the automation provided by Splunk SOAR, we can significantly reduce the amount of time and human effort required to complete this task. Instead of two analysts taking two to three hours to analyze 20 to 30 emails, one analyst can now complete the same task within one to two hours.
What is most valuable?
The most advantageous feature of Splunk SOAR is its ease of writing search queries, which can be attributed to Splunk's powerful analytics tool running in the background, offering a smooth user experience.
What needs improvement?
Improvements are needed in automation options as customization is limited, which may make complex use cases challenging despite the solution being able to meet basic requirements.
Currently, the tool only allows categorization into two categories, malicious and non-malicious, which has been identified as a limitation by security analysts in various group brainstorming sessions. The ability to create custom categories for emails can benefit security analysts.
For how long have I used the solution?
I was associated with this solution for almost three years. In my previous organization, Meredith, we initially deployed Splunk. Before that, we were using the ArcSight SIEM solution. Later on, after moving on to the Splunk environment, Meredith thought of opting for an automation process. So, we onboarded Splunk SOAR, but the user Splunk was managed by a third-party company.
What do I think about the stability of the solution?
Stability-wise, it is good. It doesn't have any downtime issues. If you consider Splunk SOAR as an independent solution to be deployed at work, then that would not be easy. The challenge is that Splunk SOAR cannot work without the Splunk SIEM solution. But if you have Splunk as your base, then Splunk Phantom works well. So the issues with Splunk Phantom are very minimal. I would rate it an eight on a scale of one to 10, where one is considered the worst and 10 is the best.
What do I think about the scalability of the solution?
In terms of scalability, I believe Splunk SOAR is decent. I haven't encountered any stability issues, even with a large infrastructure of over 10,000 end-user devices and high log inflows. I would rate its scalability as an eight or nine out of ten, where one is the worst and ten is the best. It works well in both large and small work environments.
How are customer service and support?
The technical support for the Splunk SIEM solution was average. Splunk is still working on improving its customer support, as they do not directly support SOAR, which is a separate entity. Other vendors, on the other hand, support various environments. I believe that Splunk can improve its customer support services.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I previously used Demisto, a security automation tool, in one of my previous organizations, Dell Technologies. The ease of writing custom queries and making granular modifications were the key reasons why we used it. In my next organization, I used Splunk SOAR because we already had Splunk in our environment. Currently, I am working in a bank that does not have a Splunk environment, so I am using a different automation tool.
How was the initial setup?
The deployment warranted collecting information on the external and internal parameters of our network system. A network engineer along with a team of four to five people from Hurricane Labs was involved in the deployment of the Splunk SIEM solution for the company. The deployment of the Splunk SIEM solution took approximately six to nine months. During the first three months, the team familiarized themselves with the environment and started the transition from an off-site setup. Over the next six to nine months, the team worked to mature the solution and address any issues with logs not being collected properly and displayed on the Splunk screen.
What about the implementation team?
Splunk SIEM was deployed by a third-party vendor. The vendor was responsible for the end-to-end deployment and was the main point of contact for the project. However, I am not familiar with the specific details of the deployment and therefore cannot accurately explain how the deployment of the solution was done.
What's my experience with pricing, setup cost, and licensing?
In terms of pricing, I would rate it a six or seven out of 10, where one is the highest and 10 is the lowest. It’s on the expensive side, and I'm not sure if a lot of the small-sized organizations will be able to afford it. A medium enterprise environment will be able to afford it. We had to pay for the cost of the licenses for the services we received.
What other advice do I have?
If you use Splunk as your SIEM solution, you can consider Splunk SOAR as your automation tool. However, automation tools such as AutomationEdge or Demisto may provide better value if you have other SIEM solutions.
I rate this solution a seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Software Engineering Manager at Deloitte
We can customize playbooks and incorporate custom code, but the support is subpar
Pros and Cons
- "The solution allows us to customize playbooks and incorporate custom code, allowing us to drag and drop elements while still writing code to build the integrations we need."
- "Splunk's support for integration is subpar and has room for improvement."
What is our primary use case?
We wanted to automate the process of creating playbooks, orchestrating events, customizing integrations, and deploying applications such as Thread Connect and Wireless Total for enrichment and threat hunting. We have tailored these applications to meet our specific needs and redeployed them.
What is most valuable?
As a programmer, I am glad that Splunk did not position itself as a no-code or low-code platform. The solution allows us to customize playbooks and incorporate custom code, allowing us to drag and drop elements while still writing code to build the integrations we need. This makes Splunk a great solution for a solid platform.
What needs improvement?
Splunk's support for integration is subpar and has room for improvement.
Splunk should make more effort to keep up with the latest developments in the external world, so that their applications, integrations, and enrichment apps are up to date. Additionally, the documentation and support should be improved, as the experience, their users have had in the past has been unsatisfactory. We were very disappointed that our queries were left unresolved for six months, as it was a time for response rather than solutions. Additionally, several tickets were lodged with Splunk, yet the issue persisted for half a year.
I would request that SOAR add a feature that allows the extraction of documentation from playbooks. This would enable developers to quickly understand the features and use cases associated with a playbook, so they can modify or interact with it. This would eliminate the need for someone to manually explain each playbook in detail.
I would suggest making the app customizable and deployable in an easy and straightforward manner. This would save time and effort compared to the current process.
For how long have I used the solution?
I have been using the solution for four years.
What do I think about the stability of the solution?
Although not the most stable solution, I would say the overall stability of the updates is satisfactory. I give the stability a seven out of ten.
What do I think about the scalability of the solution?
We had difficulty with scalability, but I would not attribute this to Splunk. It could have been due to our lack of knowledge or lack of support from Splunk. I give the scalability a six out of ten.
Which solution did I use previously and why did I switch?
Our company utilizes a variety of SOAR tools, including Splunk SOAR, Swimlane, and Palo Alto XSOAR, along with ServiceNow for SecOps. Initially, Splunk SOAR was chosen as the SOAR tool due to its compatibility with the majority of our other tools. Unfortunately, it became apparent that SOAR was difficult to install, service, and price, leading some teams to switch to SwimLane and Palo Alto XSOAR.
How was the initial setup?
The initial setup is not necessarily an easy task, nor is it overly complex, so I would say it's of medium difficulty. Splunk could have provided more documentation and support, considering it is not a free product. It would have been much more helpful if Splunk had provided basic understanding and assistance for those installing the solution.
Deployment took several hours each time to install and upgrade, and we often encountered broken pieces of functionality due to miscoordination or non-sequential startup processes. I remember there were five items that came with Splunk SOAR. Deployment was a difficult process, and we ran into issues every time we had an upgrade.
We used Git version control to deploy our playbooks to SOAR, and then we would pull them back to the production SOAR to bring them into use.
What other advice do I have?
I give the solution a six out of ten because of the scope of building playbooks and automation. Unfortunately, this is accompanied by a downside due to a lack of support, bad applications, inadequate documentation, and a general lack of support.
We have thousands of people using the solution.
I would suggest alternatives to Splunk SOAR due to the cost and poor support. However, if cost and support are satisfactory I would recommend the solution.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: customer/partner
IT Director at a manufacturing company with 501-1,000 employees
Easy to create playbooks and has saved alert triage time
Pros and Cons
- "Its ability to integrate with other systems and applications in our environment is pretty easy. Sometimes if we see any complexity we try to involve a consultant to help us. Everything is through the built-in app. Splunk can connect to any assets through the built-in app. It could be in a platform, firewalls, or endpoints. It's easy if it's an app integration."
- "The font used in the interface could be changed and made easier to read."
What is our primary use case?
We were using Splunk primarily to ingest data from different sources and do an analysis based on its information. We use Splunk SOAR now because we had some incidents where end users were trying to send a bulk of emails from their office email address to their personal email address. SOAR will help us based on the configuration we do.
When you use your company email address to send emails to your personal email address or elsewhere, you're trying to link the complete confidential data. It's a risk. SOAR is the first step for DLP. We can have alerts set up where we can see if somebody's trying to send more than a fixed number of emails. The next steps happen in terms of implementing DLP.
What is most valuable?
I'm the director. I have a technical team who works on it. I give instructions on how to implement it. We are in the beginning stages.
I like the interface.
From what I heard from the team, it's pretty easy to create playbooks. With the app, you can easily view an app code. You can look at the log results and troubleshoot. The app can be enabled to suit your needs. As our SOC evolves, we can make changes or customize it according to our needs in SOAR.
SOAR offers end-to-end visibility across our full environment. It really depends on what sources we are ingesting. If you don't have data sources, ingesting into Splunk, which does not cover end-to-end, then, obviously, SOAR will not give you what you're looking for. SOAR will help the best depending on what you ingest into Splunk.
The ability to troubleshoot with SOAR is excellent.
Its ability to integrate with other systems and applications in our environment is pretty easy. Sometimes if we see any complexity we try to involve a consultant to help us. Everything is through the built-in app. Splunk can connect to any assets through the built-in app. It could be in a platform, firewalls, or endpoints. It's easy if it's an app integration.
We will slowly see improvements in our business resilience once we have everything configured fully.
SOAR saved time in alert triage by around 30%.
SOAR is easy to use in an investigation. It also helped to reduce our security event volume by 50%.
It reduced our mean time to detect by 60-70%.
We have seen time to value. It's a work in progress.
We can set up alerts and get emails, so we can immediately respond to whatever data source or issue is causing it.
What needs improvement?
I would like to have a better user guide to explain how to use it.
The font used in the interface could be changed and made easier to read.
For how long have I used the solution?
We have been using SOAR for a few months.
What do I think about the stability of the solution?
I would give stability and scalability a nine out of ten.
How are customer service and support?
We have not used support for SOAR yet.
How was the initial setup?
The deployment is easy. It took a few hours to get up and running. Two people were involved in the deployment.
What's my experience with pricing, setup cost, and licensing?
It's expensive. The price is high but the product is good.
What other advice do I have?
It's on the cloud so it doesn't require maintenance.
I would recommend Splunk SOAR. I would rate it a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jul 11, 2024
Flag as inappropriateBuyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Security Orchestration Automation and Response (SOAR)Popular Comparisons
Microsoft Sentinel
AWS Security Hub
VMware Carbon Black Endpoint
Palo Alto Networks Cortex XSOAR
Cortex XSIAM
Exabeam
ThreatConnect Threat Intelligence Platform (TIP)
ServiceNow Security Operations
Fortinet FortiSOAR
Tines
Logpoint
Fidelis Elevate
IBM Resilient
Swimlane
Buyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which Do You Recommend, Phantom or Demisto?
- What are the Top 5 cybersecurity trends in 2022?
- What is the difference between SIEM and SOAR platforms?
- What is an incident response playbook and how is it used in SOAR?
- What are the latest trends in Security Operations Center (SOC)?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- How to evaluate SIEM detection rules?
- Why a Security Operations Center (SOC) is important?
- What types of Security Operations Center (SOC) deployment models do exist?
- When evaluating Security Orchestration, Automation, and Response (SOAR), what aspect do you think is the most important to look for?