Splunk SOAR Reviews

This is a DevOps product.

We use the solution to monitor the activity of users and integrate Splunk UEBA, monitoring traffic, packages, external attacks, left movement, and lateral movements. We also use it maybe inside the person's C2 servers, and for exercise and SQL injections. Basically, we use the solution for any type of attack that can happen regarding the meter attack grid.

The solution is very versatile.

It's a multi-functioning solution.

My understanding is the initial setup isn't too hard. 

The version control is excellent. 

Technical support is extremely helpful and responsive. 

The pricing could be a bit more reasonable. It would be great if it were feasible for smaller organizations. 

I've been using the solution for two years now as a part of the bigger Splunk Enterprise deployment.

The stability is great. It offers easy version control. There are no bugs and glitches. It doesn't crash or freeze. The team is doing great managing releases. 

The scalability is very high. It is easy to expand as needed. 

I use it in a very large organization with well over one million users worldwide. 

We have a premium and dedicated team for tech support as well as a dedicated account manager. Everything is dedicated to the deployment. I can't say I'm not satisfied. Their response is usually very fast - within 30 minutes - and we have good experience with them.

Positive

While I use other products as well, 90% of my day is on Splunk.

While I didn't handle the implementation directly, I understand it's pretty easy.

While the pricing is high, I don't care as long as the enterprise pays for it. For developers, it is free for 6 months and 500 GBs of ingestion per day.

From an enterprise standpoint, I'd rate the pricing ten out of ten as they are doing a great job and we are getting value for what we pay.

I'm an end-user.

I'd advise new users to spend some time at the outset learning the commands. It will make it very easy to deal with.

I'd rate the solution ten out of ten.

One of our use cases is to automate any kind of process after investigation. When going into an investigation, we want to make sure that we have the right tools to use. Instead of having multiple tools, we can bring them all into one platform, such as Splunk SOAR, to provide us with that information.

Splunk SOAR has not benefited us yet because we are currently in the development process, but I believe that in the future, it will help us streamline our process and our RTR to respond and detect. It is going to help us in the future, but it has not brought us any benefit yet because we are currently building it up.

It is very important that Splunk SOAR has end-to-end visibility into our cloud-native environment. If there is no visibility, then there is no ability for us to detect on time and respond in time. It knocks out a lot of that time discrepancy.

Splunk SOAR has not yet helped reduce our mean time to resolve. It will be helping us in the future due to its playbooks and its compatibility with Mission Control and other Splunk integrations.

It has helped us with our business continuity and our ability to respond to different threats that might be out there.

Splunk SOAR has not saved us time in alert triage. We are still in the early stages of getting Splunk SOAR onboarded and developed, but I believe that it will significantly reduce our time to triage. Similarly, Splunk SOAR has not saved us time in threat response, but it will do so in the future.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools. Splunk's unified platform has been great for every organization. Every analyst has been able to use one unified area.

In Splunk SOAR, I find the playbooks valuable. We get to create multiple playbooks, and within each playbook, there is a different type of investigation attached to it, which helps out an analyst or new analysts coming on board. When they get an incident, they do not need to find out where to start. All they have to do is to go to a particular playbook. It will give them end-to-end specifics on what to do and how to process it.

They can improve what they are currently doing. They can provide more playbooks or at least template playbooks that are in their repository. That is one area.

Another area would probably be related to onboarding different playbooks or different tool sets that new engineers have. Eventually, they will get there to ingest more tools and datasets into their SOAR. 

In terms of additional features, it is hard to say. There can be more integration with other data ingestion platforms out there, not just Splunk.

We have been using it for about one month.

We have not played with it too much yet. Once we are able to play with it more and get more details from it, we can respond to that.

It can be very scalable just because of the number of different apps that the community pushes to it. Right now, it is not there yet, but I believe in the near future, it is going to be the best growing platform out there.

Splunk's customer service is great and impeccable. I believe that they have been a very valuable resource to our organization and our team.

I would rate their support an eight out of ten just because I believe that no one really gets a ten. It is an eight just because the answers that they cannot answer for us, they are able to get from the community. The community really helps out, but they are always there to help, and they are always responsive.

We are using Splunk Cloud, the public cloud, but we also have on-prem. We use AWS.

As the initial start of the Splunk SOAR, we are getting started with developing the playbooks and getting the configurations set up with our users and toolsets. It has been pretty easy so far. I have not had any hiccups, but we will see where that takes us as we finish our development.

We did not use any integrator or reseller.

We have just started getting our metrics developed, ingesting into Splunk, and showing that to the executives.

I would rate Splunk SOAR a nine out of ten just because it does hit all points for the use cases as an analyst, engineer, or developer. It allows us to automate and orchestrate all of our detections and respond to them very quickly.

We use Splunk SOAR to automate response for ransomware attacks.

We are triaging with SOAR. It helps the analysts with investigations by automating repetitive tasks and presenting them with scripts that include user lookups, and other information. It also includes widgets for notes.

Splunk SOAR has helped us save on repetitive tasks. Before we had SOAR, we used to triage in Splunk Enterprise using our app but we have migrated most of the searches into SOAR. Now with SOAR, we can get it to close the alerts we know about automatically. It is much faster so the analyst doesn't have many alerts to deal with. Now that we have migrated, we are moving more towards automation and using SOAR to work more for us. Splunk SOAR has freed up the time of three full-time analysts to focus on other tasks.

We only use Splunk SOAR on-premises, but end-to-end visibility is key to having a fast response to ransomware attacks even when we are not in the office.

Splunk has saved us time in threat response.  

We are not a 24/7 SOC, so the most valuable feature of Splunk SOAR is the auto-response to threats when we are not in the office and the notifications that it sends to the on-call engineer.

The banks have recently bought Splunk Enterprise Security. We haven't implemented it yet. It is being built. The new version coming out is going to incorporate Mission Control and SOAR. It looks like we will need to move Splunk again and do our triage in Enterprise Security. The reason we took the step to SOAR was for the functionality available for the triage which is now being incorporated into Mission Control. We can easily migrate the data over to Mission Control. For us, the next steps will be to use it as a backend server where we can run playbooks and triage in there.

It would be ideal for us if Splunk SOAR could integrate with Teams. 

I have been using Splunk SOAR for three years.

The version of Splunk SOAR we are on now is stable. We did have issues with the failover in the early days but now with how we have it configured there is hardly any downtime.

We use about one point six terabytes of data per day with Splunk with about 6,000 users. We don't need it to scale at the moment.

We use Splunk technical support a lot. They are good and we have a good relationship with our Account Manager who helps us with the tickets and provides us with articles.

Splunk technical support wasn't always readily available, and in one instance, a support representative didn't have the expertise to resolve our specific problem.

Positive

Before Splunk we had our analyst log in manually to Carbon Black. No tool automated the tasks until we switched to Splunk.

We had to get a small engineering team of about three people to be dedicated to Splunk SOAR so we could have Splunk professional service come in and give us a startup. That worked well. They passed their knowledge to our engineering team and we maintain it in-house now.

The implementation was completed with the help of the Splunk professional services team.

I found the price of Splunk SOAR to be good.

I would rate Splunk SOAR nine out of ten.

Our initial Splunk installation was a successful proof of concept but needed to be made more reliable. Splunk professional services offered assistance, but due to limitations in finding a suitable SOAR solution, we opted for a cold standby implementation. This allows us to switch to the standby instance if the primary SOAR becomes unavailable.

We use Splunk SOAR mainly for security.

The most valuable feature of Splunk SOAR is the automated playbooks, which saves analysts time. The results that are returned provide additional context that we would have to look up manually in different tools. Splunk SOAR provides it in one pane of glass.

Splunk SOAR should improve its ease of upgrade, which is a pain point for us right now. Each upgrade to the version requires expertise and time commitment. Then, we usually have to troubleshoot it with support.

I have been using Splunk SOAR for two years.

Except for the upgrade challenges, Splunk SOAR is stable when it's operational.

Splunk SOAR is a scalable solution.

Splunk SOAR's technical support has been responsive. We have to go through tiers to get to the correct person for support.

Positive

Splunk SOAR's initial setup is complex.

The solution's deployment requires Splunk's outsourced professional services, who take care of the complexity for you. The professional services were good, and they knew what needed to be done for the solution's implementation.

Two people were required for the solution's deployment. These two people were responsible for administration, the use cases we needed to develop, our integration with the platforms, and integration with Splunk Enterprise.

We've had some challenges justifying our return on investment because of the development work and the continual efforts to maintain the solution. We haven't seen the return on investment yet, but I'm hopeful it can get us there.

Splunk SOAR is an expensive solution for an organization of our size. I don't like the solution's licensing model.

Before choosing Splunk SOAR, we evaluated other options. Splunk SOAR easily integrated with our Splunk solution, which was our main key. We are already a Splunk customer, which made the contracting easy.

Our organization monitors multiple cloud environments. Monitoring multiple cloud environments using Splunk SOAR is fairly easy when the integrations work. Some apps within Splunk SOAR require you to configure them and ensure they maintain their connection and that they're updated. We've had several issues with third-party ones and those developed by Splunk.

It is important for your organization that Splunk SOAR has end-to-end visibility into your cloud-native environment. We're security-focused, and we want to be able to look at the logs that are in our native applications.

For the use cases we've implemented, Splunk SOAR has helped reduce our mean time to resolve. However, there's been a lot of time to develop that. Overall, I haven't seen that I've saved time yet, but I expect we will in the future. Splunk SOAR can save the analyst up to 30 minutes for a single malware analysis playbook.

Overall, I rate Splunk SOAR a six out of ten.

Splunk SOAR streamlines the handling of common customer scenarios that arise across diverse situations. Even when specific expertise within our team varies, Splunk SOAR empowers all users with pre-built playbooks, guiding them through the required actions in any circumstance.

Splunk SOAR's UI is user-friendly for managing workflows.

The integration of Splunk SOAR is good.

When we implemented Splunk SOAR we were able to reduce our team of five down to three.

Splunk SOAR's quick response to incidents is the most valuable part.

The cost of Splunk SOAR has room for improvement.

I have been using Splunk SOAR for a couple of years.

Splunk SOAR is stable. We have not heard of any issues from our customers.

Splunk SOAR is scalable.

The cost is high and the licensing is on an annual basis.

I would rate Splunk SOAR an eight out of ten.

I'm using it mainly for SOC automation and reporting. It's for incident and threat modeling, incident reporting, and triage.

I come from a cybersecurity background and I used to work on the tickets for the security alerts we received from various sources, including Splunk and other SIEM tools. The major challenge was that we were occupied with a lot of noise and activities like validation of IP reports, DNS checks, and traffic monitoring. These were redundant activities that every analyst had to do. We wanted to stop these kinds of activities. 

Splunk SOAR has multiple integrations with various tools, such as VirusTotal. Once we purchased those tools from the respective owners and automated them, the kinds of redundant activities we were having to do were almost immediately stopped.

Also, the ingestion of multiple log sources together helped us eliminate false positives. Using the SOAR platform, our monthly alert count was reduced from 1,100 to 200 or 250. That was the best impact we have seen from implementing SOAR in our environment.

It has reduced our mean time to detect and mean time to respond, from 20 to 30 minutes to just 5 to 10 minutes. In cybersecurity, every moment can be a ticking time bomb for us. We need to get to a solution immediately, whenever any incident is triggered in our environment. SOAR has helped us a lot.

Using this platform has resulted in a better work-life balance for my team.

One of the features I like most is playbook creation, and custom functions are another. 

When you design a playbook, you can integrate multiple log sources and define rules. That used to be done by the analysts by going to the respective tools and doing tasks manually. Now, with playbook design, writing down those rules is a one-time activity that a SOAR admin has to do. After that, the platform automatically compiles all these activities and, based on the results, the analyst only has to indicate whether the result is a true or false positive. That reduces the time and effort involved. Our KPIs have greatly improved. An incident that used to take 15 to 20 minutes, was reduced to five minutes. This helped us speed up our response to any alert, whether it was a true positive or false positive.

Another of the best parts of the SOAR platform is its ability to integrate with other systems and applications. It provides API integrations and, through them, I can limit the rights for the tool, which is good. If I want to integrate any of the applications with CrowdStrike, but only for incident-review policies or just to review the work automation, I can grant rights only for those purposes. That is one of the best features available in SOAR. It is very easy to implement and very user-friendly.

The visibility of the solution’s playbook viewer depends on the right you assign to the analyst. SOAR has the flexibility to distinguish between the roles of analyst and owner. If the analyst's role is to just work on a ticket, they cannot view the playbook design platform. That is limited to the owner. That can be both a good and bad thing.

A major problem I have faced in SOAR's rights distribution is roles and responsibilities. Suppose I am initially granted user rights or analyst rights, but later on, I also get admin rights. SOAR is unable to amend the limitations of my role. I raised a support ticket with Splunk about this. They said it's a bug in their 5.3.5 version. To fix this, I had to reinstall the entire platform from scratch, just to amend the rights and responsibilities of one role. This bug was not fixed.

Also, the latest GUI is terrible. The previous one was better.

Another point is that while using Splunk SOAR in an investigation is not difficult, there are some complex parameters. We have SOAR case management, but the licensing is going to put a big hole in your pocket. Also, there is an issue with investigation node addition. When you are doing node additions you cannot grant the entire environment to have SOAR visibility into the incident. So when you integrate it with an ITSM tool, like ServiceNow or Jira for ticketing purposes, there is a challenge. When you do nodes for investigation on a regular basis, sometimes it does not update our ServiceNow platform, which is terrible. It is a redundant activity for an analyst to update that in the case management as well as in the ITSM tool. Although SOAR provides integration, the functionality of investigation and nodes is terrible when it comes to integration.

An additional area for improvement is custom function creation. It's terrible. A newbie cannot create custom functions right away. They would require a solid understanding first.

Also, the reporting is really awful. If I want to do a report for a customized time period, such as the last three days or the last four days, or from the 10th to the 12th of June, that is not available in SOAR at all. That kind of feature is available in Cortex XSOAR. Reporting is a real challenge.

I have been using Splunk SOAR for four years.

It's a stable environment. I don't have any complaints about it in terms of its stability.

Aside from the issue I described where I started with an analyst's role in the solution and then was granted an admin role but the privileges remained those of an analyst, and I had to reinstall the entire platform, overall, the scalability is good.

We have contacted their tech support many times. They are readily available if I raise a P-1 ticket, because SOAR is not something we can work without. Their support is good and more capable than the SME we hired.

Neutral

Before SOAR was purchased by Splunk, it was named Phantom and that is what I have worked with most of the time. I have also worked on Demisto, which is now Palo Alto Cortex XSOAR. That was a bit more user-friendly compared to Splunk SOAR.

The initial deployment of SOAR is very complex. In my previous company, the deployment took me almost 10 days, and that was with a Splunk SME sitting with us. We paid them money to have the SME, but even he was unable to do what we needed to be done. Later on, we raised a support ticket with them and there were multiple escalations from our upper management to the Splunk management team. They then sent a good technical guy and he fixed the issue within five minutes. Before that, we were unable to do the DR instance. It took around 10 to 15 days just to fix that.

It's very difficult to install. No newbie could install SOAR on his own. He will require support. Here, I'm specifically talking about the later versions, not Phantom, rather once it became Splunk SOAR v5.3.5.

We had three people involved.

There is some maintenance. For example, it was using Python 2.7 and then there was the decommissioning of that version and the move to Python 3.x. That meant upgrading all the playbooks.

It's very overpriced because it is based on the number of users. There is no bulk licensing.

My advice would be to negotiate the cost. And if your organization is on the smaller side, with between 200 to 500 employees, you should not purchase it because it will blow up your finances. A bigger environment, with 2,000-plus employees, can go with the Splunk SOAR solution.

And if you are going with this solution, you should confirm what support they are going to provide, such as whether they are going to provide training credits or not. Sometimes they don't provide Splunk credits for training. Any newbie who is going to work on this will find it terrible to work in this environment. He will not be able to work without guidance. Other SOAR solutions, like Demisto (Cortex SOAR) are very user-friendly.

Security Operations and Incident response processes automation and alerts enrichment.

I have found all the security automation platform features of Splunk SOAR to be good. The Automation playbook development is highly useful.

The Splunk SOAR case management feature lacks some of the functionalities like the possibility to fully customize the fields for the tickets/events and create custom statuses. 

I have used Splunk SOAR within the last 12 months.

Splunk SOAR is a stable solution.

The scalability of Splunk SOAR is good.

We have approximately 100 people using this solution in my organization.

The technical support is good.

Positive

The initial setup of Splunk SOAR is complex. It has multiple integrations, deployable on many different development infrastructure stages of production. It has a full life cycle.

We have approximately two people for the maintenance and support of Splunk SOAR.

The price of Splunk SOAR is reasonable.

My advice to others is they will need some Python developers for Splunk SOAR because it's not possible to only throw some blocks of Python code and it will work. You will need some experienced Python developers if you want to work with this platform.

I rate Splunk SOAR a nine out of ten.

Splunk SOAR can be deployed on the cloud, on-premise, and hybrid. If you want to put it to your cellphone or public cloud to use cloud services, such as Amazon AWS or Google Cloud Platform it is possible.

The main usage is for security monitoring, insider threat protection, user and entity behavioral analytics (UEBA), Security orchestration, automation, privileged user and account protection, and security against attacks, such as phishing and advanced malware attacks.

The most valuable feature of Splunk SOAR that stands out is it has a great SOAR. The automation and orchestration module is highly mature. A lot of use cases are on user entity and behavioral analytics (UEBA), which is artificial intelligence and machine learning-based (AIML).

Splunk SOAR can improve IoT/OT security-related case studies or your use cases. Their integration with identity and access management (IAM) solutions is a bit shaky. They don't have good integration with a lot of IAM solutions. They do have good capability in terms of user access management internally, but even with privileged user access, they have a good module. However, if they have to integrate with solutions, such as CyberArk or IBM IAM solutions they are lacking, the visibility of user access is not that much.

I have been using Splunk SOAR for approximately 10 years.

The stability of Splunk SOAR is good.

Splunk SOAR is highly scalable.

I rate the support from Splunk SOAR a three out of five.

The support knowledge of use cases from the telecom industry, and IoT industry are good. They're good at accommodating normal IT use cases, but when it comes to operating our OT devices, or telecom-related use cases, they're not really flexible or good at it. In terms of developing use cases for them, they are not that good. For example, if they are approached by some vendor and they say, "Devise up some use cases for Nokia and Huawei", these are our basic telecom providers, it's really difficult for Splunk SOAR to make use cases for them. They're good at IT, but they're not good at OT and IoT.

Splunk SOAR is easy to deploy. It has a lot of already built-in use cases, and it is very easy to customize. For the deployment of Splunk SOAR, it takes approximately two engineers. For a medium complexity, 3000 DPS-sized deployments, it will take a half month. If there are a lot of custom use cases, you can add another month for those customizations to be completed.

We need approximately four to five engineers for maintenance for a dedicated sizing. If you are going for a shared model, then two to three engineers would be sufficient. Both have 24 hours a day seven days a week operating windows.

I won't say ROI's not there for Splunk SOAR. It's a value-for-money solution, but if they charge less, then it will bring more value. Currently, the ROI is flat, you will hardly have an ROI.

Splunk SOAR follows very flat pricing and most of the time it's very high when compared to the other competitors. They can improve their pricing. The licensing model is a subscription and is consumption-based.

I rate Splunk SOAR an eight out of ten.