We use Splunk SOAR to automate response for ransomware attacks.
Cyber Defense Center Capability Lead at a financial services firm with 1,001-5,000 employees
Helps analysts with investigations by automating repetitive tasks and presenting them with scripts that include user lookups, and other information
Pros and Cons
- "We are not a 24/7 SOC, so the most valuable feature of Splunk SOAR is the auto-response to threats when we are not in the office and the notifications that it sends to the on-call engineer."
- "It would be ideal for us if Splunk SOAR could integrate with Teams."
What is our primary use case?
How has it helped my organization?
We are triaging with SOAR. It helps the analysts with investigations by automating repetitive tasks and presenting them with scripts that include user lookups, and other information. It also includes widgets for notes.
Splunk SOAR has helped us save on repetitive tasks. Before we had SOAR, we used to triage in Splunk Enterprise using our app but we have migrated most of the searches into SOAR. Now with SOAR, we can get it to close the alerts we know about automatically. It is much faster so the analyst doesn't have many alerts to deal with. Now that we have migrated, we are moving more towards automation and using SOAR to work more for us. Splunk SOAR has freed up the time of three full-time analysts to focus on other tasks.
We only use Splunk SOAR on-premises, but end-to-end visibility is key to having a fast response to ransomware attacks even when we are not in the office.
Splunk has saved us time in threat response.
What is most valuable?
We are not a 24/7 SOC, so the most valuable feature of Splunk SOAR is the auto-response to threats when we are not in the office and the notifications that it sends to the on-call engineer.
What needs improvement?
The banks have recently bought Splunk Enterprise Security. We haven't implemented it yet. It is being built. The new version coming out is going to incorporate Mission Control and SOAR. It looks like we will need to move Splunk again and do our triage in Enterprise Security. The reason we took the step to SOAR was for the functionality available for the triage which is now being incorporated into Mission Control. We can easily migrate the data over to Mission Control. For us, the next steps will be to use it as a backend server where we can run playbooks and triage in there.
It would be ideal for us if Splunk SOAR could integrate with Teams.
Buyer's Guide
Splunk SOAR
October 2024
Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
824,145 professionals have used our research since 2012.
For how long have I used the solution?
I have been using Splunk SOAR for three years.
What do I think about the stability of the solution?
The version of Splunk SOAR we are on now is stable. We did have issues with the failover in the early days but now with how we have it configured there is hardly any downtime.
What do I think about the scalability of the solution?
We use about one point six terabytes of data per day with Splunk with about 6,000 users. We don't need it to scale at the moment.
How are customer service and support?
We use Splunk technical support a lot. They are good and we have a good relationship with our Account Manager who helps us with the tickets and provides us with articles.
Splunk technical support wasn't always readily available, and in one instance, a support representative didn't have the expertise to resolve our specific problem.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Before Splunk we had our analyst log in manually to Carbon Black. No tool automated the tasks until we switched to Splunk.
How was the initial setup?
We had to get a small engineering team of about three people to be dedicated to Splunk SOAR so we could have Splunk professional service come in and give us a startup. That worked well. They passed their knowledge to our engineering team and we maintain it in-house now.
What about the implementation team?
The implementation was completed with the help of the Splunk professional services team.
What's my experience with pricing, setup cost, and licensing?
I found the price of Splunk SOAR to be good.
What other advice do I have?
I would rate Splunk SOAR nine out of ten.
Our initial Splunk installation was a successful proof of concept but needed to be made more reliable. Splunk professional services offered assistance, but due to limitations in finding a suitable SOAR solution, we opted for a cold standby implementation. This allows us to switch to the standby instance if the primary SOAR becomes unavailable.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Last updated: Jul 7, 2024
Flag as inappropriateStaff Security Engineer at a engineering company with 10,001+ employees
Reduces our mean time to resolution but can be unreliable
Pros and Cons
- "The most valuable feature is the API connector, depending on how it's formatted and who made the actual app offering for it. The REST API is my favorite component. It's very easy to use. The filters are also really valuable. Those are the two primary features but I enjoy using the rest of it."
- "SOAR is probably the most unreliable product Splunk has and that's because most of it is content driven from what you put into it. There are certain parts of it that have a little bit of difficulty at volume too. It's always changing. There is new stuff coming out for it that's going to make it a little bit better, but it does have some drawbacks."
What is our primary use case?
My primary use case is for SOC automation but it's used for a lot more than that. Some of the use cases are more or less appropriate for it. It's capable of doing a lot of things.
We use the SOAR platform to ingest alerts and escalations that we get. They do the actual enrichment processing and triaging but we don't use it for detection. We potentially could, but it's not what the product is meant for.
How has it helped my organization?
The visual playbook editor updates that they released have been absolutely instrumental because the old editor was impossible to look at for most of the time. It made my eyes bleed. I still have to look at it from time to time.
Splunk does provide substantial value.
It definitely does reduce our mean time to resolution through the enrichment details that it provides. Inputting your facts and details of the things you do not want to see with the events coming into it and easily filtering down off of that is one of the main value drivers outside of phish removal.
What is most valuable?
The most valuable feature is the API connector, depending on how it's formatted and who made the actual app offering for it. The REST API is my favorite component. It's very easy to use. The filters are also really valuable. Those are the two primary features but I enjoy using the rest of it.
What needs improvement?
SOAR is probably the most unreliable product Splunk has and that's because most of it is content driven from what you put into it. There are certain parts of it that have a little bit of difficulty at volume too. It's always changing. There is new stuff coming out for it that's going to make it a little bit better, but it does have some drawbacks.
It's specifically geared for SOC and not broader automation. The artifact filtering that's forced on everything inside the platform is pretty awful. It's for a subset of active playbooks which, out of the two hundred that we own, I think three or four of them are active, but we have to play with that setting for each one of them.
Every block should also have that option specifically because if you're not doing the artifact filtering on the front end, it's not good.
We've had lots of processes that have been victim to filtering not working appropriately at scale. It's hard to actually track down and trace because we can't reproduce the issues that we see in our testing environment or in production. That was two minor versions ago. It might have changed, it might not have, but we don't have a lot of trust in that feature.
UI elements like interacting with our analysts are near impossible. Finding stuff on the actual dashboard is really impossible most of the time. One example is that the timeline takes up three-quarters of the screen, but not a single person uses it because you have to individually set the container, the artifacts, and the actions to a specific attribute field that's really difficult to correlate to the actual events you put into it. The artifacts are really weird too because they're not traditional forensic artifacts. You shouldn't be able to change the value of an actual artifact. It was in that capacity but we also use it for that purpose in the platform.
For how long have I used the solution?
My company was one of Splunk's first five customers. I have been using it for the last three years.
What do I think about the stability of the solution?
I've only crashed SOAR a few times and it was my fault. If you have a production environment that's been running for a month or two and you have a few thousand events in it, if you mess up your query when you're trying to ask it a question and you do page size zero, it will just give you things on it, and it will crash it. That's a fun thing, but you shouldn't do that in general. That was a mistake on my part. Generally, it is very stable and available as most of the issues are usually the fault of the vendors that it's talking to, but that's with any platform.
What do I think about the scalability of the solution?
Scalability is interesting. Some of the assets do choke each other out. There is a cyclical lock thing that we had to fix on our inside. We have a CrowdStrike app, and we give it a file and ask it to do something and it goes great. It tells us that the default wait time is fifteen minutes, and there's only one of me. But there are five processes competing for that, and you get a giant backlog. We had to make our own custom app to get it later.
We have about fifty users on SOAR and a few hundred playbooks. Our environment is fairly large in terms of standard customers.
How was the initial setup?
I didn't do the initial integration, it was many years ago but we do deployments with the platforms team because we have the experience.
We have it down to a pretty good science right now because platform science does a really good job of automating the steps that go into setting up the server and whatnot. One good thing about the SOAR connectors that we have in the apps is the ability to save states and for apps just to self-heal. That has been really helpful because things go down from time to time and we don't have to worry about it because there's a second or third process that's going to pick it up.
What's my experience with pricing, setup cost, and licensing?
I have heard they are changing pricing, not possibly for the better. In comparison to the other vendors we looked at, they're all in the same ballpark of what they should be billing on. SOAR makes the most sense out of all of them, in terms of the billing factors.
Which other solutions did I evaluate?
We are looking at other platforms currently to compare areas. Splunk's editors are exceptionally better to look at. Visually, it's easier to find things and configure them.
There is more capability out-of-the-box for doing typical data transformation that you don't have to write too much code for, which is really nice. The code blocks have annotations in them. So when you actually open and look at what you worked on, four or five months later, you have your notes right there in the same place where it runs, which is really handy.
It's also just built for broader automation and it's all more HTTP, actions-based. Instead of having to build a connector, then put that on GitHub and install that in your platform, you can define an endpoint with credentials and you can do the same thing with SOAR. It's encouraged to do it with the actions and assets, which can be beneficial depending on what the product is.
If we do continue using SOAR, I think we're going to default to using more HTTP actions and stop using too many assets because it's a bit of a burden to create one, especially if out-of-the-box the actual configuration doesn't do what we need it to.
One example of this that we have is the request tracker app that we use for all of our tickets. When you ask it for the ticket information, it will return the metadata on it, nothing inside the actual ticket. That's a fork we have to create. It didn't actually do the basic product functionality that the vendor should be providing.
We also find that the vendors don't always keep the SOAR connectors updated. Sometimes they'll update the associated API, and then their connector will stop working because they're on different versions, and then we have to force our own fix on that. They usually make a SOAR connector just to say that they have one, but they won't put too much effort or thought into it.
What other advice do I have?
I'd probably rate the functionality an eight or a nine out of ten. I would give the UI a four out of ten. I would rate general Splunk SOAR a seven out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Splunk SOAR
October 2024
Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
824,145 professionals have used our research since 2012.
Splunk BDM at Clicko
Is user-friendly, integrates well, and is stable
Pros and Cons
- "Splunk SOAR's quick response to incidents is the most valuable part."
- "The cost of Splunk SOAR has room for improvement."
What is our primary use case?
Splunk SOAR streamlines the handling of common customer scenarios that arise across diverse situations. Even when specific expertise within our team varies, Splunk SOAR empowers all users with pre-built playbooks, guiding them through the required actions in any circumstance.
How has it helped my organization?
Splunk SOAR's UI is user-friendly for managing workflows.
The integration of Splunk SOAR is good.
When we implemented Splunk SOAR we were able to reduce our team of five down to three.
What is most valuable?
Splunk SOAR's quick response to incidents is the most valuable part.
What needs improvement?
The cost of Splunk SOAR has room for improvement.
For how long have I used the solution?
I have been using Splunk SOAR for a couple of years.
What do I think about the stability of the solution?
Splunk SOAR is stable. We have not heard of any issues from our customers.
What do I think about the scalability of the solution?
Splunk SOAR is scalable.
What's my experience with pricing, setup cost, and licensing?
The cost is high and the licensing is on an annual basis.
What other advice do I have?
I would rate Splunk SOAR an eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Security Engineer at a university with 501-1,000 employees
Has the ability to connect it to external apps
Pros and Cons
- "It has definitely saved a decent amount of time for our analysts so they can focus on other tasks."
- "We've run into a few minor issues. Some of the playbook writing is a bit complicated. We've had a few hiccups with the source control. We'd really like to use GitHub deployment keys for a dedicated account. We haven't been able to do that. I think those are some of the major ones."
What is our primary use case?
We are primarily using it to automate tasks for our incident response team. They use it to block suspicious traffic from our network detection system and for alerts from our endpoint security system. Those are the two major use cases we're using it for right now.
How has it helped my organization?
It has definitely saved a decent amount of time for our analysts so they can focus on other tasks. This gives us more value for man hours.
It has definitely improved our business resilience. It's given us greater visibility into the environment we have and the ability to collect all of the threat and log data and put it into one central place.
What is most valuable?
The ability to connect it to external apps is the most valuable feature. We've also gotten a lot of use from writing custom apps for some of our authentication systems for password scramble.
Splunk's ability to predict, identify, and problem-solve in real time is really good.
Splunk's ability to provide business resilience by empowering staff is fairly high. It detects issues as they come up and responds to them.
We have seen time to value. I did help configure it, but we do have the cloud solution, so it was mostly in place.
It has definitely helped to reduce our meantime to resolve. Having it there to automatically take action as events come in and not needing the analysts to have to go out and have a look is how it saved time.
What needs improvement?
We've run into a few minor issues. Some of the playbook writing is a bit complicated. We've had a few hiccups with the source control. We'd really like to use GitHub deployment keys for a dedicated account. We haven't been able to do that. I think those are some of the major ones.
There is a general learning curve as far as playbook writing goes.
For how long have I used the solution?
I have been using SOAR for four to five months.
What do I think about the stability of the solution?
Stability is good. We've had a few hiccups with apps, but never a major outage. I would rate it an eight out of ten.
What do I think about the scalability of the solution?
I haven't really grown it very wide yet, but I could easily foresee us doing that.
How are customer service and support?
I've opened a few tickets for different issues with apps, and they have always been responded to fairly quickly. I'd give support a ten out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I did help configure it but we have a cloud solution, so it was mostly in place.
The development was fairly straightforward. There were some issues setting up the single sign-on, but we were able to get help from Splunk to get all that straightened out. The roles in user accounts and onboarding were all fairly straightforward. App configuration is also something that's pretty streamlined and intuitive.
We did it all in-house.
What was our ROI?
We have seen ROI in its ability to streamline and automate mundane tasks that we would run into on a daily basis. It freed up DevOps people from having to maintain custom tools that were previously used to complete similar tasks.
What other advice do I have?
I would rate Splunk SOAR a nine out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Sr. Principal Info Sec Analyst at a tech vendor with 5,001-10,000 employees
Helped eliminate repetitive and redundant tasks, but custom functions and reporting need a lot of work
Pros and Cons
- "When you design a playbook, you can integrate multiple log sources and define rules... After that, the platform automatically compiles all these activities and, based on the results, the analyst only has to indicate whether the result is a true or false positive. That reduces the time and effort involved."
- "Suppose I am initially granted user rights or analyst rights, but later on, I also get admin rights. SOAR is unable to amend the limitations of my role. I raised a support ticket with Splunk about this. They said it's a bug in their 5.3.5 version. To fix this, I had to reinstall the entire platform from scratch.."
What is our primary use case?
I'm using it mainly for SOC automation and reporting. It's for incident and threat modeling, incident reporting, and triage.
I come from a cybersecurity background and I used to work on the tickets for the security alerts we received from various sources, including Splunk and other SIEM tools. The major challenge was that we were occupied with a lot of noise and activities like validation of IP reports, DNS checks, and traffic monitoring. These were redundant activities that every analyst had to do. We wanted to stop these kinds of activities.
How has it helped my organization?
Splunk SOAR has multiple integrations with various tools, such as VirusTotal. Once we purchased those tools from the respective owners and automated them, the kinds of redundant activities we were having to do were almost immediately stopped.
Also, the ingestion of multiple log sources together helped us eliminate false positives. Using the SOAR platform, our monthly alert count was reduced from 1,100 to 200 or 250. That was the best impact we have seen from implementing SOAR in our environment.
It has reduced our mean time to detect and mean time to respond, from 20 to 30 minutes to just 5 to 10 minutes. In cybersecurity, every moment can be a ticking time bomb for us. We need to get to a solution immediately, whenever any incident is triggered in our environment. SOAR has helped us a lot.
Using this platform has resulted in a better work-life balance for my team.
What is most valuable?
One of the features I like most is playbook creation, and custom functions are another.
When you design a playbook, you can integrate multiple log sources and define rules. That used to be done by the analysts by going to the respective tools and doing tasks manually. Now, with playbook design, writing down those rules is a one-time activity that a SOAR admin has to do. After that, the platform automatically compiles all these activities and, based on the results, the analyst only has to indicate whether the result is a true or false positive. That reduces the time and effort involved. Our KPIs have greatly improved. An incident that used to take 15 to 20 minutes, was reduced to five minutes. This helped us speed up our response to any alert, whether it was a true positive or false positive.
Another of the best parts of the SOAR platform is its ability to integrate with other systems and applications. It provides API integrations and, through them, I can limit the rights for the tool, which is good. If I want to integrate any of the applications with CrowdStrike, but only for incident-review policies or just to review the work automation, I can grant rights only for those purposes. That is one of the best features available in SOAR. It is very easy to implement and very user-friendly.
What needs improvement?
The visibility of the solution’s playbook viewer depends on the right you assign to the analyst. SOAR has the flexibility to distinguish between the roles of analyst and owner. If the analyst's role is to just work on a ticket, they cannot view the playbook design platform. That is limited to the owner. That can be both a good and bad thing.
A major problem I have faced in SOAR's rights distribution is roles and responsibilities. Suppose I am initially granted user rights or analyst rights, but later on, I also get admin rights. SOAR is unable to amend the limitations of my role. I raised a support ticket with Splunk about this. They said it's a bug in their 5.3.5 version. To fix this, I had to reinstall the entire platform from scratch, just to amend the rights and responsibilities of one role. This bug was not fixed.
Also, the latest GUI is terrible. The previous one was better.
Another point is that while using Splunk SOAR in an investigation is not difficult, there are some complex parameters. We have SOAR case management, but the licensing is going to put a big hole in your pocket. Also, there is an issue with investigation node addition. When you are doing node additions you cannot grant the entire environment to have SOAR visibility into the incident. So when you integrate it with an ITSM tool, like ServiceNow or Jira for ticketing purposes, there is a challenge. When you do nodes for investigation on a regular basis, sometimes it does not update our ServiceNow platform, which is terrible. It is a redundant activity for an analyst to update that in the case management as well as in the ITSM tool. Although SOAR provides integration, the functionality of investigation and nodes is terrible when it comes to integration.
An additional area for improvement is custom function creation. It's terrible. A newbie cannot create custom functions right away. They would require a solid understanding first.
Also, the reporting is really awful. If I want to do a report for a customized time period, such as the last three days or the last four days, or from the 10th to the 12th of June, that is not available in SOAR at all. That kind of feature is available in Cortex XSOAR. Reporting is a real challenge.
For how long have I used the solution?
I have been using Splunk SOAR for four years.
What do I think about the stability of the solution?
It's a stable environment. I don't have any complaints about it in terms of its stability.
What do I think about the scalability of the solution?
Aside from the issue I described where I started with an analyst's role in the solution and then was granted an admin role but the privileges remained those of an analyst, and I had to reinstall the entire platform, overall, the scalability is good.
How are customer service and support?
We have contacted their tech support many times. They are readily available if I raise a P-1 ticket, because SOAR is not something we can work without. Their support is good and more capable than the SME we hired.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
Before SOAR was purchased by Splunk, it was named Phantom and that is what I have worked with most of the time. I have also worked on Demisto, which is now Palo Alto Cortex XSOAR. That was a bit more user-friendly compared to Splunk SOAR.
How was the initial setup?
The initial deployment of SOAR is very complex. In my previous company, the deployment took me almost 10 days, and that was with a Splunk SME sitting with us. We paid them money to have the SME, but even he was unable to do what we needed to be done. Later on, we raised a support ticket with them and there were multiple escalations from our upper management to the Splunk management team. They then sent a good technical guy and he fixed the issue within five minutes. Before that, we were unable to do the DR instance. It took around 10 to 15 days just to fix that.
It's very difficult to install. No newbie could install SOAR on his own. He will require support. Here, I'm specifically talking about the later versions, not Phantom, rather once it became Splunk SOAR v5.3.5.
We had three people involved.
There is some maintenance. For example, it was using Python 2.7 and then there was the decommissioning of that version and the move to Python 3.x. That meant upgrading all the playbooks.
What's my experience with pricing, setup cost, and licensing?
It's very overpriced because it is based on the number of users. There is no bulk licensing.
What other advice do I have?
My advice would be to negotiate the cost. And if your organization is on the smaller side, with between 200 to 500 employees, you should not purchase it because it will blow up your finances. A bigger environment, with 2,000-plus employees, can go with the Splunk SOAR solution.
And if you are going with this solution, you should confirm what support they are going to provide, such as whether they are going to provide training credits or not. Sometimes they don't provide Splunk credits for training. Any newbie who is going to work on this will find it terrible to work in this environment. He will not be able to work without guidance. Other SOAR solutions, like Demisto (Cortex SOAR) are very user-friendly.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
VP - Security Automation Lead at a financial services firm with 10,001+ employees
Feature rich, useful automation playbook, and reliable
Pros and Cons
- "I have found all the security automation platform features of Splunk SOAR to be good. The Automation playbook development is highly useful."
- "The Splunk SOAR platform was not designed specifically for case management which is why this area needs improvement."
What is our primary use case?
Security Operations and Incident response processes automation and alerts enrichment.
What is most valuable?
I have found all the security automation platform features of Splunk SOAR to be good. The Automation playbook development is highly useful.
What needs improvement?
The Splunk SOAR case management feature lacks some of the functionalities like the possibility to fully customize the fields for the tickets/events and create custom statuses.
For how long have I used the solution?
I have used Splunk SOAR within the last 12 months.
What do I think about the stability of the solution?
Splunk SOAR is a stable solution.
What do I think about the scalability of the solution?
The scalability of Splunk SOAR is good.
We have approximately 100 people using this solution in my organization.
How are customer service and support?
The technical support is good.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial setup of Splunk SOAR is complex. It has multiple integrations, deployable on many different development infrastructure stages of production. It has a full life cycle.
What about the implementation team?
We have approximately two people for the maintenance and support of Splunk SOAR.
What's my experience with pricing, setup cost, and licensing?
The price of Splunk SOAR is reasonable.
What other advice do I have?
My advice to others is they will need some Python developers for Splunk SOAR because it's not possible to only throw some blocks of Python code and it will work. You will need some experienced Python developers if you want to work with this platform.
I rate Splunk SOAR a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Deputy Manager at a tech vendor with 10,001+ employees
Multiple deployment options, simple customization, and highly mature functionality
Pros and Cons
- "The most valuable feature of Splunk SOAR that stands out is it has a great SOAR. The automation and orchestration module is highly mature. A lot of use cases are on user entity and behavioral analytics (UEBA), which is artificial intelligence and machine learning-based (AIML)."
- "Splunk SOAR can improve IoT/OT security-related case studies or your use cases. Their integration with identity and access management (IAM) solutions is a bit shaky. They don't have good integration with a lot of IAM solutions. They do have good capability in terms of user access management internally, but even with privileged user access, they have a good module. However, if they have to integrate with solutions, such as CyberArk or IBM IAM solutions they are lacking, the visibility of user access is not that much."
What is our primary use case?
Splunk SOAR can be deployed on the cloud, on-premise, and hybrid. If you want to put it to your cellphone or public cloud to use cloud services, such as Amazon AWS or Google Cloud Platform it is possible.
The main usage is for security monitoring, insider threat protection, user and entity behavioral analytics (UEBA), Security orchestration, automation, privileged user and account protection, and security against attacks, such as phishing and advanced malware attacks.
What is most valuable?
The most valuable feature of Splunk SOAR that stands out is it has a great SOAR. The automation and orchestration module is highly mature. A lot of use cases are on user entity and behavioral analytics (UEBA), which is artificial intelligence and machine learning-based (AIML).
What needs improvement?
Splunk SOAR can improve IoT/OT security-related case studies or your use cases. Their integration with identity and access management (IAM) solutions is a bit shaky. They don't have good integration with a lot of IAM solutions. They do have good capability in terms of user access management internally, but even with privileged user access, they have a good module. However, if they have to integrate with solutions, such as CyberArk or IBM IAM solutions they are lacking, the visibility of user access is not that much.
For how long have I used the solution?
I have been using Splunk SOAR for approximately 10 years.
What do I think about the stability of the solution?
The stability of Splunk SOAR is good.
What do I think about the scalability of the solution?
Splunk SOAR is highly scalable.
How are customer service and support?
I rate the support from Splunk SOAR a three out of five.
The support knowledge of use cases from the telecom industry, and IoT industry are good. They're good at accommodating normal IT use cases, but when it comes to operating our OT devices, or telecom-related use cases, they're not really flexible or good at it. In terms of developing use cases for them, they are not that good. For example, if they are approached by some vendor and they say, "Devise up some use cases for Nokia and Huawei", these are our basic telecom providers, it's really difficult for Splunk SOAR to make use cases for them. They're good at IT, but they're not good at OT and IoT.
How was the initial setup?
Splunk SOAR is easy to deploy. It has a lot of already built-in use cases, and it is very easy to customize. For the deployment of Splunk SOAR, it takes approximately two engineers. For a medium complexity, 3000 DPS-sized deployments, it will take a half month. If there are a lot of custom use cases, you can add another month for those customizations to be completed.
What about the implementation team?
We need approximately four to five engineers for maintenance for a dedicated sizing. If you are going for a shared model, then two to three engineers would be sufficient. Both have 24 hours a day seven days a week operating windows.
What was our ROI?
I won't say ROI's not there for Splunk SOAR. It's a value-for-money solution, but if they charge less, then it will bring more value. Currently, the ROI is flat, you will hardly have an ROI.
What's my experience with pricing, setup cost, and licensing?
Splunk SOAR follows very flat pricing and most of the time it's very high when compared to the other competitors. They can improve their pricing. The licensing model is a subscription and is consumption-based.
What other advice do I have?
I rate Splunk SOAR an eight out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber Security Architect at a financial services firm with 201-500 employees
A stable solution that can be used for security, but its version upgrading requires expertise and time commitment
Pros and Cons
- "The most valuable feature of Splunk SOAR is the automated playbooks, which saves analysts time."
- "Splunk SOAR should improve its ease of upgrade, which is a pain point for us right now."
What is our primary use case?
We use Splunk SOAR mainly for security.
What is most valuable?
The most valuable feature of Splunk SOAR is the automated playbooks, which saves analysts time. The results that are returned provide additional context that we would have to look up manually in different tools. Splunk SOAR provides it in one pane of glass.
What needs improvement?
Splunk SOAR should improve its ease of upgrade, which is a pain point for us right now. Each upgrade to the version requires expertise and time commitment. Then, we usually have to troubleshoot it with support.
For how long have I used the solution?
I have been using Splunk SOAR for two years.
What do I think about the stability of the solution?
Except for the upgrade challenges, Splunk SOAR is stable when it's operational.
What do I think about the scalability of the solution?
Splunk SOAR is a scalable solution.
How are customer service and support?
Splunk SOAR's technical support has been responsive. We have to go through tiers to get to the correct person for support.
How would you rate customer service and support?
Positive
How was the initial setup?
Splunk SOAR's initial setup is complex.
What about the implementation team?
The solution's deployment requires Splunk's outsourced professional services, who take care of the complexity for you. The professional services were good, and they knew what needed to be done for the solution's implementation.
Two people were required for the solution's deployment. These two people were responsible for administration, the use cases we needed to develop, our integration with the platforms, and integration with Splunk Enterprise.
What was our ROI?
We've had some challenges justifying our return on investment because of the development work and the continual efforts to maintain the solution. We haven't seen the return on investment yet, but I'm hopeful it can get us there.
What's my experience with pricing, setup cost, and licensing?
Splunk SOAR is an expensive solution for an organization of our size. I don't like the solution's licensing model.
Which other solutions did I evaluate?
Before choosing Splunk SOAR, we evaluated other options. Splunk SOAR easily integrated with our Splunk solution, which was our main key. We are already a Splunk customer, which made the contracting easy.
What other advice do I have?
Our organization monitors multiple cloud environments. Monitoring multiple cloud environments using Splunk SOAR is fairly easy when the integrations work. Some apps within Splunk SOAR require you to configure them and ensure they maintain their connection and that they're updated. We've had several issues with third-party ones and those developed by Splunk.
It is important for your organization that Splunk SOAR has end-to-end visibility into your cloud-native environment. We're security-focused, and we want to be able to look at the logs that are in our native applications.
For the use cases we've implemented, Splunk SOAR has helped reduce our mean time to resolve. However, there's been a lot of time to develop that. Overall, I haven't seen that I've saved time yet, but I expect we will in the future. Splunk SOAR can save the analyst up to 30 minutes for a single malware analysis playbook.
Overall, I rate Splunk SOAR a six out of ten.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Security Orchestration Automation and Response (SOAR)Popular Comparisons
Microsoft Sentinel
AWS Security Hub
Palo Alto Networks Cortex XSOAR
Exabeam
ThreatConnect Threat Intelligence Platform (TIP)
ServiceNow Security Operations
Fortinet FortiSOAR
Tines
Logpoint
IBM Resilient
Swimlane
McAfee ePolicy Orchestrator
Google Security Operations
Cyware Cyber Fusion
Buyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which Do You Recommend, Phantom or Demisto?
- What are the Top 5 cybersecurity trends in 2022?
- What is the difference between SIEM and SOAR platforms?
- What is an incident response playbook and how is it used in SOAR?
- What are the latest trends in Security Operations Center (SOC)?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- How to evaluate SIEM detection rules?
- Why a Security Operations Center (SOC) is important?
- What types of Security Operations Center (SOC) deployment models do exist?
- When evaluating Security Orchestration, Automation, and Response (SOAR), what aspect do you think is the most important to look for?