Splunk SOAR Reviews

This is a DevOps product.

We use the solution to monitor the activity of users and integrate Splunk UEBA, monitoring traffic, packages, external attacks, left movement, and lateral movements. We also use it maybe inside the person's C2 servers, and for exercise and SQL injections. Basically, we use the solution for any type of attack that can happen regarding the meter attack grid.

The solution is very versatile.

It's a multi-functioning solution.

My understanding is the initial setup isn't too hard. 

The version control is excellent. 

Technical support is extremely helpful and responsive. 

The pricing could be a bit more reasonable. It would be great if it were feasible for smaller organizations. 

I've been using the solution for two years now as a part of the bigger Splunk Enterprise deployment.

The stability is great. It offers easy version control. There are no bugs and glitches. It doesn't crash or freeze. The team is doing great managing releases. 

The scalability is very high. It is easy to expand as needed. 

I use it in a very large organization with well over one million users worldwide. 

We have a premium and dedicated team for tech support as well as a dedicated account manager. Everything is dedicated to the deployment. I can't say I'm not satisfied. Their response is usually very fast - within 30 minutes - and we have good experience with them.

Positive

While I use other products as well, 90% of my day is on Splunk.

While I didn't handle the implementation directly, I understand it's pretty easy.

While the pricing is high, I don't care as long as the enterprise pays for it. For developers, it is free for 6 months and 500 GBs of ingestion per day.

From an enterprise standpoint, I'd rate the pricing ten out of ten as they are doing a great job and we are getting value for what we pay.

I'm an end-user.

I'd advise new users to spend some time at the outset learning the commands. It will make it very easy to deal with.

I'd rate the solution ten out of ten.

One of our use cases is to automate any kind of process after investigation. When going into an investigation, we want to make sure that we have the right tools to use. Instead of having multiple tools, we can bring them all into one platform, such as Splunk SOAR, to provide us with that information.

Splunk SOAR has not benefited us yet because we are currently in the development process, but I believe that in the future, it will help us streamline our process and our RTR to respond and detect. It is going to help us in the future, but it has not brought us any benefit yet because we are currently building it up.

It is very important that Splunk SOAR has end-to-end visibility into our cloud-native environment. If there is no visibility, then there is no ability for us to detect on time and respond in time. It knocks out a lot of that time discrepancy.

Splunk SOAR has not yet helped reduce our mean time to resolve. It will be helping us in the future due to its playbooks and its compatibility with Mission Control and other Splunk integrations.

It has helped us with our business continuity and our ability to respond to different threats that might be out there.

Splunk SOAR has not saved us time in alert triage. We are still in the early stages of getting Splunk SOAR onboarded and developed, but I believe that it will significantly reduce our time to triage. Similarly, Splunk SOAR has not saved us time in threat response, but it will do so in the future.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools. Splunk's unified platform has been great for every organization. Every analyst has been able to use one unified area.

In Splunk SOAR, I find the playbooks valuable. We get to create multiple playbooks, and within each playbook, there is a different type of investigation attached to it, which helps out an analyst or new analysts coming on board. When they get an incident, they do not need to find out where to start. All they have to do is to go to a particular playbook. It will give them end-to-end specifics on what to do and how to process it.

They can improve what they are currently doing. They can provide more playbooks or at least template playbooks that are in their repository. That is one area.

Another area would probably be related to onboarding different playbooks or different tool sets that new engineers have. Eventually, they will get there to ingest more tools and datasets into their SOAR. 

In terms of additional features, it is hard to say. There can be more integration with other data ingestion platforms out there, not just Splunk.

We have been using it for about one month.

We have not played with it too much yet. Once we are able to play with it more and get more details from it, we can respond to that.

It can be very scalable just because of the number of different apps that the community pushes to it. Right now, it is not there yet, but I believe in the near future, it is going to be the best growing platform out there.

Splunk's customer service is great and impeccable. I believe that they have been a very valuable resource to our organization and our team.

I would rate their support an eight out of ten just because I believe that no one really gets a ten. It is an eight just because the answers that they cannot answer for us, they are able to get from the community. The community really helps out, but they are always there to help, and they are always responsive.

We are using Splunk Cloud, the public cloud, but we also have on-prem. We use AWS.

As the initial start of the Splunk SOAR, we are getting started with developing the playbooks and getting the configurations set up with our users and toolsets. It has been pretty easy so far. I have not had any hiccups, but we will see where that takes us as we finish our development.

We did not use any integrator or reseller.

We have just started getting our metrics developed, ingesting into Splunk, and showing that to the executives.

I would rate Splunk SOAR a nine out of ten just because it does hit all points for the use cases as an analyst, engineer, or developer. It allows us to automate and orchestrate all of our detections and respond to them very quickly.

My use case for Splunk SOAR is security automation.

We are running a Splunk SOAR cluster. Three nodes in three different environments in a dev-test and prod environment.

The SOC team has been much less burdened since implementing Splunk SOAR. They're able to completely automate away some events. At the very least, they get so much information gathered from our automated actions that they're able to almost immediately take action if action isn't already taken by the playbooks that are being run.

Splunk SOAR has helped reduce our mean time to resolve. It has reduced, for example, ten-minute investigations into 30-second ones. Sometimes all our analysts need is a little bit of context, and they can immediately make a decision based on that. There are some events that we have where normally investigating them would take about ten minutes. We get a ton of those a day. I did the math and Splunk SOAR saves over 70 hours a week, which is massive. That savings is only for those types of events alone. In that context, it is a huge improvement.

Splunk SOAR has helped improve our business resilience. It's an extremely powerful tool. I do think that the ability it has depends on the people implementing it, though. The implementation needs to be good. If it's not, that's not Splunk SOAR's fault, that's the organization's fault. If they do it right, it is incredible.

Splunk SOAR has saved us time with alert triage. Even on simple events that might take ten minutes, we're taking that down by around 95 percent. Almost all events can at least have some sort of automation that saves minutes and every minute counts and saves us so much time.

Splunk SOAR has saved us time in threat response.

The most valuable features are the Splunk SOAR apps and playbooks. I am a Splunk SOAR developer, and my job is to make sure that integrations with third-party systems are done well. I give guidelines for how to properly make Splunk SOAR apps. These two features are essential in how the apps will work.

One area for improvement in Splunk SOAR is version control for Splunk apps. Currently, for Splunk playbooks, we can hook up a Splunk store to a Git repository with playbooks in it, and it will pull them down periodically, which is amazing. Splunk apps don't have that, and that would be extremely helpful because we do custom coding a lot. There are many vendors out there. And because there isn't source control, we need to emulate that same behavior, which causes us to do other things. For example, we need to create a Git repository somewhere on SOAR and create a clone job that periodically runs a Git pull action. After that, we bring all that SOAR data into that repository. We need to have a Git Hook that automatically tars the app we just created and then uses the API to automatically upload it. Because of that, now we have this app data that's being doubled up because we have SOAR apps in the Apps directory on the back end of Splunk SOAR, and we also have this Git repository, which holds all the same information. That could be highly simplified, and that is a big gap that would make my life and probably other developers' a lot easier. 

There is a specific situation that comes into place when we have a Splunk SOAR cluster we have to work with. If we also don't have it hooked up to an external Splunk Enterprise instance, trying to debug what's going on in the cluster is extremely difficult because there are 45 different log locations. That could be extremely difficult to try and find out what is going on with all the microservices that are being used in a Splunk SOAR cluster. I had to personally develop a tool to be able to monitor all those logs at once and then parse it out and query that log once we're done with whatever operation so that we can get a clear picture of what's going on in the SOAR cluster, which has been immensely helpful, taking hours off of debugging time to do that. It would be nice to have a tool like that natively available in Splunk SOAR to begin with. Even without the cluster, I believe it's over 30 log sources that could go wrong. 

Providing Splunk app developers and playbook developers Python Stub files so that way when they create custom code through their IDE, they can have IntelliCode suggestions. It could be dangerous for someone who is coding to constantly have to look back at the documentation and not see, for example, a Python dictionary where they are expecting it. In reality, it's a list, that could cause errors when a playbook runs or when an app runs, and that could be a potential incident that now goes unresolved or a serious issue. That's dangerous. Providing SOAR app developers with some Python Stub files that they can use for IntelliCode suggestions would also be helpful. Also having slight changes to the way that it's expected to create custom modifications to already existing apps on GitHub or Splunk base by essentially inheriting from the base app when we want to have custom modifications, and developers should have to explicitly override any methods from the base class that's there. That way, we're not modifying any of the underlying layers of the base app that's there. We could also hook it up to a Git Repository to receive those updates into the base app and then the custom app. This way we have these custom app features, we have all these extra things being put into it, still on the custom app end so we can have our features and the base app all in one. I think that'd be a novel solution.

I have been using Splunk SOAR for one year.

As a standalone instance, SOAR is extremely stable. I don't have any issues with it. The only reason there might be an issue is if we lack resources on the hardware itself, and that's more of a problem from an architecting, and engineering perspective, not exactly Splunk SOAR. When it comes to the Splunk SOAR cluster, it is pretty complicated. There are five different microservices, and if we have an issue there, we have 45 different log sources to get that info from, and it can be hard to debug it. If we have a problem, it can be hard to diagnose which microservice we might be having issues with.

Splunk SOAR scales well though when we get to I believe, more than five nodes in a Splunk SOAR cluster, it becomes a little bit unwieldy, and it takes long for things to happen. If we need to update something in the cluster, things can get slow and we have been told by professional services to try and keep it at three nodes because anything more than that is unwieldy as they have said. I believe that is a known issue with Splunk SOAR.

The technical support from Splunk has been good. Whenever we need to engage in professional services, they're always able to give us new information that we did not explicitly know, or they're able to validate what we need. Usually, when we talk to professional services of some kind, which is the main form of customer service I think that we use, it's usually quick and to the point in exactly what we need, which is fantastic. There have been times when we requested professional services, something we needed, and that was developed in-shop just for us, which is fantastic. The tool that was made to remove SOAR cluster nodes was requested by us, and then it became a feature later on. So that was amazing and helpful.

Positive

The initial deployment was extremely easy as a stand-alone instance. It's a straightforward process, especially for someone like me who has had to set up other servers containing security tools on them. In terms of setting up a cluster, I unfortunately haven't had experience setting up a cluster explicitly. I have had experience removing nodes from a cluster and with a new tool that was released, I believe, in version 6.0. It was made easier. When it comes to deploying Spunk SOAR, involves downloading the tarball, extracting it, running the pre-install script to ensure proper configuration, and then running the installation script. As long as system resources are sufficient, the installation itself should be quick despite the application's size.

The biggest metric that I've seen as a developer admin and DevOps engineer is the time saved. I don't think that on our end, we have set up the ROI functionality in SOAR yet, but I know that the timing has been massive. We should get it set up in  SOAR that way the customers see the value.

I would rate Splunk SOAR nine out of ten. It's a fantastic product it needs a few more features to make it amazing. The clustering does need to be simplified a bit. Version controlling for apps and making app development just a little bit easier for developers would take it to the next level. There's no other SOAR product that does what Splunk SOAR does as well. All other SOAR are frankly inferior, but it just needs that little bit of extra functionality to make it a truly great product.

We use Splunk SOAR to automate response for ransomware attacks.

We are triaging with SOAR. It helps the analysts with investigations by automating repetitive tasks and presenting them with scripts that include user lookups, and other information. It also includes widgets for notes.

Splunk SOAR has helped us save on repetitive tasks. Before we had SOAR, we used to triage in Splunk Enterprise using our app but we have migrated most of the searches into SOAR. Now with SOAR, we can get it to close the alerts we know about automatically. It is much faster so the analyst doesn't have many alerts to deal with. Now that we have migrated, we are moving more towards automation and using SOAR to work more for us. Splunk SOAR has freed up the time of three full-time analysts to focus on other tasks.

We only use Splunk SOAR on-premises, but end-to-end visibility is key to having a fast response to ransomware attacks even when we are not in the office.

Splunk has saved us time in threat response.  

We are not a 24/7 SOC, so the most valuable feature of Splunk SOAR is the auto-response to threats when we are not in the office and the notifications that it sends to the on-call engineer.

The banks have recently bought Splunk Enterprise Security. We haven't implemented it yet. It is being built. The new version coming out is going to incorporate Mission Control and SOAR. It looks like we will need to move Splunk again and do our triage in Enterprise Security. The reason we took the step to SOAR was for the functionality available for the triage which is now being incorporated into Mission Control. We can easily migrate the data over to Mission Control. For us, the next steps will be to use it as a backend server where we can run playbooks and triage in there.

It would be ideal for us if Splunk SOAR could integrate with Teams. 

I have been using Splunk SOAR for three years.

The version of Splunk SOAR we are on now is stable. We did have issues with the failover in the early days but now with how we have it configured there is hardly any downtime.

We use about one point six terabytes of data per day with Splunk with about 6,000 users. We don't need it to scale at the moment.

We use Splunk technical support a lot. They are good and we have a good relationship with our Account Manager who helps us with the tickets and provides us with articles.

Splunk technical support wasn't always readily available, and in one instance, a support representative didn't have the expertise to resolve our specific problem.

Positive

Before Splunk we had our analyst log in manually to Carbon Black. No tool automated the tasks until we switched to Splunk.

We had to get a small engineering team of about three people to be dedicated to Splunk SOAR so we could have Splunk professional service come in and give us a startup. That worked well. They passed their knowledge to our engineering team and we maintain it in-house now.

The implementation was completed with the help of the Splunk professional services team.

I found the price of Splunk SOAR to be good.

I would rate Splunk SOAR nine out of ten.

Our initial Splunk installation was a successful proof of concept but needed to be made more reliable. Splunk professional services offered assistance, but due to limitations in finding a suitable SOAR solution, we opted for a cold standby implementation. This allows us to switch to the standby instance if the primary SOAR becomes unavailable.

I'm using it mainly for SOC automation and reporting. It's for incident and threat modeling, incident reporting, and triage.

I come from a cybersecurity background and I used to work on the tickets for the security alerts we received from various sources, including Splunk and other SIEM tools. The major challenge was that we were occupied with a lot of noise and activities like validation of IP reports, DNS checks, and traffic monitoring. These were redundant activities that every analyst had to do. We wanted to stop these kinds of activities. 

Splunk SOAR has multiple integrations with various tools, such as VirusTotal. Once we purchased those tools from the respective owners and automated them, the kinds of redundant activities we were having to do were almost immediately stopped.

Also, the ingestion of multiple log sources together helped us eliminate false positives. Using the SOAR platform, our monthly alert count was reduced from 1,100 to 200 or 250. That was the best impact we have seen from implementing SOAR in our environment.

It has reduced our mean time to detect and mean time to respond, from 20 to 30 minutes to just 5 to 10 minutes. In cybersecurity, every moment can be a ticking time bomb for us. We need to get to a solution immediately, whenever any incident is triggered in our environment. SOAR has helped us a lot.

Using this platform has resulted in a better work-life balance for my team.

One of the features I like most is playbook creation, and custom functions are another. 

When you design a playbook, you can integrate multiple log sources and define rules. That used to be done by the analysts by going to the respective tools and doing tasks manually. Now, with playbook design, writing down those rules is a one-time activity that a SOAR admin has to do. After that, the platform automatically compiles all these activities and, based on the results, the analyst only has to indicate whether the result is a true or false positive. That reduces the time and effort involved. Our KPIs have greatly improved. An incident that used to take 15 to 20 minutes, was reduced to five minutes. This helped us speed up our response to any alert, whether it was a true positive or false positive.

Another of the best parts of the SOAR platform is its ability to integrate with other systems and applications. It provides API integrations and, through them, I can limit the rights for the tool, which is good. If I want to integrate any of the applications with CrowdStrike, but only for incident-review policies or just to review the work automation, I can grant rights only for those purposes. That is one of the best features available in SOAR. It is very easy to implement and very user-friendly.

The visibility of the solution’s playbook viewer depends on the right you assign to the analyst. SOAR has the flexibility to distinguish between the roles of analyst and owner. If the analyst's role is to just work on a ticket, they cannot view the playbook design platform. That is limited to the owner. That can be both a good and bad thing.

A major problem I have faced in SOAR's rights distribution is roles and responsibilities. Suppose I am initially granted user rights or analyst rights, but later on, I also get admin rights. SOAR is unable to amend the limitations of my role. I raised a support ticket with Splunk about this. They said it's a bug in their 5.3.5 version. To fix this, I had to reinstall the entire platform from scratch, just to amend the rights and responsibilities of one role. This bug was not fixed.

Also, the latest GUI is terrible. The previous one was better.

Another point is that while using Splunk SOAR in an investigation is not difficult, there are some complex parameters. We have SOAR case management, but the licensing is going to put a big hole in your pocket. Also, there is an issue with investigation node addition. When you are doing node additions you cannot grant the entire environment to have SOAR visibility into the incident. So when you integrate it with an ITSM tool, like ServiceNow or Jira for ticketing purposes, there is a challenge. When you do nodes for investigation on a regular basis, sometimes it does not update our ServiceNow platform, which is terrible. It is a redundant activity for an analyst to update that in the case management as well as in the ITSM tool. Although SOAR provides integration, the functionality of investigation and nodes is terrible when it comes to integration.

An additional area for improvement is custom function creation. It's terrible. A newbie cannot create custom functions right away. They would require a solid understanding first.

Also, the reporting is really awful. If I want to do a report for a customized time period, such as the last three days or the last four days, or from the 10th to the 12th of June, that is not available in SOAR at all. That kind of feature is available in Cortex XSOAR. Reporting is a real challenge.

I have been using Splunk SOAR for four years.

It's a stable environment. I don't have any complaints about it in terms of its stability.

Aside from the issue I described where I started with an analyst's role in the solution and then was granted an admin role but the privileges remained those of an analyst, and I had to reinstall the entire platform, overall, the scalability is good.

We have contacted their tech support many times. They are readily available if I raise a P-1 ticket, because SOAR is not something we can work without. Their support is good and more capable than the SME we hired.

Neutral

Before SOAR was purchased by Splunk, it was named Phantom and that is what I have worked with most of the time. I have also worked on Demisto, which is now Palo Alto Cortex XSOAR. That was a bit more user-friendly compared to Splunk SOAR.

The initial deployment of SOAR is very complex. In my previous company, the deployment took me almost 10 days, and that was with a Splunk SME sitting with us. We paid them money to have the SME, but even he was unable to do what we needed to be done. Later on, we raised a support ticket with them and there were multiple escalations from our upper management to the Splunk management team. They then sent a good technical guy and he fixed the issue within five minutes. Before that, we were unable to do the DR instance. It took around 10 to 15 days just to fix that.

It's very difficult to install. No newbie could install SOAR on his own. He will require support. Here, I'm specifically talking about the later versions, not Phantom, rather once it became Splunk SOAR v5.3.5.

We had three people involved.

There is some maintenance. For example, it was using Python 2.7 and then there was the decommissioning of that version and the move to Python 3.x. That meant upgrading all the playbooks.

It's very overpriced because it is based on the number of users. There is no bulk licensing.

My advice would be to negotiate the cost. And if your organization is on the smaller side, with between 200 to 500 employees, you should not purchase it because it will blow up your finances. A bigger environment, with 2,000-plus employees, can go with the Splunk SOAR solution.

And if you are going with this solution, you should confirm what support they are going to provide, such as whether they are going to provide training credits or not. Sometimes they don't provide Splunk credits for training. Any newbie who is going to work on this will find it terrible to work in this environment. He will not be able to work without guidance. Other SOAR solutions, like Demisto (Cortex SOAR) are very user-friendly.

We use Splunk SOAR mainly for security.

The most valuable feature of Splunk SOAR is the automated playbooks, which saves analysts time. The results that are returned provide additional context that we would have to look up manually in different tools. Splunk SOAR provides it in one pane of glass.

Splunk SOAR should improve its ease of upgrade, which is a pain point for us right now. Each upgrade to the version requires expertise and time commitment. Then, we usually have to troubleshoot it with support.

I have been using Splunk SOAR for two years.

Except for the upgrade challenges, Splunk SOAR is stable when it's operational.

Splunk SOAR is a scalable solution.

Splunk SOAR's technical support has been responsive. We have to go through tiers to get to the correct person for support.

Positive

Splunk SOAR's initial setup is complex.

The solution's deployment requires Splunk's outsourced professional services, who take care of the complexity for you. The professional services were good, and they knew what needed to be done for the solution's implementation.

Two people were required for the solution's deployment. These two people were responsible for administration, the use cases we needed to develop, our integration with the platforms, and integration with Splunk Enterprise.

We've had some challenges justifying our return on investment because of the development work and the continual efforts to maintain the solution. We haven't seen the return on investment yet, but I'm hopeful it can get us there.

Splunk SOAR is an expensive solution for an organization of our size. I don't like the solution's licensing model.

Before choosing Splunk SOAR, we evaluated other options. Splunk SOAR easily integrated with our Splunk solution, which was our main key. We are already a Splunk customer, which made the contracting easy.

Our organization monitors multiple cloud environments. Monitoring multiple cloud environments using Splunk SOAR is fairly easy when the integrations work. Some apps within Splunk SOAR require you to configure them and ensure they maintain their connection and that they're updated. We've had several issues with third-party ones and those developed by Splunk.

It is important for your organization that Splunk SOAR has end-to-end visibility into your cloud-native environment. We're security-focused, and we want to be able to look at the logs that are in our native applications.

For the use cases we've implemented, Splunk SOAR has helped reduce our mean time to resolve. However, there's been a lot of time to develop that. Overall, I haven't seen that I've saved time yet, but I expect we will in the future. Splunk SOAR can save the analyst up to 30 minutes for a single malware analysis playbook.

Overall, I rate Splunk SOAR a six out of ten.

Splunk SOAR streamlines the handling of common customer scenarios that arise across diverse situations. Even when specific expertise within our team varies, Splunk SOAR empowers all users with pre-built playbooks, guiding them through the required actions in any circumstance.

Splunk SOAR's UI is user-friendly for managing workflows.

The integration of Splunk SOAR is good.

When we implemented Splunk SOAR we were able to reduce our team of five down to three.

Splunk SOAR's quick response to incidents is the most valuable part.

The cost of Splunk SOAR has room for improvement.

I have been using Splunk SOAR for a couple of years.

Splunk SOAR is stable. We have not heard of any issues from our customers.

Splunk SOAR is scalable.

The cost is high and the licensing is on an annual basis.

I would rate Splunk SOAR an eight out of ten.

Security Operations and Incident response processes automation and alerts enrichment.

I have found all the security automation platform features of Splunk SOAR to be good. The Automation playbook development is highly useful.

The Splunk SOAR case management feature lacks some of the functionalities like the possibility to fully customize the fields for the tickets/events and create custom statuses. 

I have used Splunk SOAR within the last 12 months.

Splunk SOAR is a stable solution.

The scalability of Splunk SOAR is good.

We have approximately 100 people using this solution in my organization.

The technical support is good.

Positive

The initial setup of Splunk SOAR is complex. It has multiple integrations, deployable on many different development infrastructure stages of production. It has a full life cycle.

We have approximately two people for the maintenance and support of Splunk SOAR.

The price of Splunk SOAR is reasonable.

My advice to others is they will need some Python developers for Splunk SOAR because it's not possible to only throw some blocks of Python code and it will work. You will need some experienced Python developers if you want to work with this platform.

I rate Splunk SOAR a nine out of ten.