Try our new research platform with insights from 80,000+ expert users
Solution Architect at a tech vendor with 10,001+ employees
Real User
Top 20
Versatile with good version control and excellent support
Pros and Cons
  • "My understanding is the initial setup isn't too hard."
  • "The pricing could be a bit more reasonable. It would be great if it were feasible for smaller organizations."

What is our primary use case?

This is a DevOps product.

We use the solution to monitor the activity of users and integrate Splunk UEBA, monitoring traffic, packages, external attacks, left movement, and lateral movements. We also use it maybe inside the person's C2 servers, and for exercise and SQL injections. Basically, we use the solution for any type of attack that can happen regarding the meter attack grid.

What is most valuable?

The solution is very versatile.

It's a multi-functioning solution.

My understanding is the initial setup isn't too hard. 

The version control is excellent. 

Technical support is extremely helpful and responsive. 

What needs improvement?

The pricing could be a bit more reasonable. It would be great if it were feasible for smaller organizations. 

For how long have I used the solution?

I've been using the solution for two years now as a part of the bigger Splunk Enterprise deployment.

Buyer's Guide
Splunk SOAR
October 2024
Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,562 professionals have used our research since 2012.

What do I think about the stability of the solution?

The stability is great. It offers easy version control. There are no bugs and glitches. It doesn't crash or freeze. The team is doing great managing releases. 

What do I think about the scalability of the solution?

The scalability is very high. It is easy to expand as needed. 

I use it in a very large organization with well over one million users worldwide. 

How are customer service and support?

We have a premium and dedicated team for tech support as well as a dedicated account manager. Everything is dedicated to the deployment. I can't say I'm not satisfied. Their response is usually very fast - within 30 minutes - and we have good experience with them.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

While I use other products as well, 90% of my day is on Splunk.

How was the initial setup?

While I didn't handle the implementation directly, I understand it's pretty easy.

What's my experience with pricing, setup cost, and licensing?

While the pricing is high, I don't care as long as the enterprise pays for it. For developers, it is free for 6 months and 500 GBs of ingestion per day.

From an enterprise standpoint, I'd rate the pricing ten out of ten as they are doing a great job and we are getting value for what we pay.

What other advice do I have?

I'm an end-user.

I'd advise new users to spend some time at the outset learning the commands. It will make it very easy to deal with.

I'd rate the solution ten out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Mack Scott - PeerSpot reviewer
Cyber Security Network Security Engineer at Cirrus Logic
Real User
Top 20
We can automate and orchestrate our detections and quickly respond to them
Pros and Cons
  • "In Splunk SOAR, I find the playbooks valuable. We get to create multiple playbooks, and within each playbook, there is a different type of investigation attached to it, which helps out an analyst or new analysts coming on board."
  • "They can improve on what they are currently doing. They can provide more playbooks or at least template playbooks that are in their repository."

What is our primary use case?

One of our use cases is to automate any kind of process after investigation. When going into an investigation, we want to make sure that we have the right tools to use. Instead of having multiple tools, we can bring them all into one platform, such as Splunk SOAR, to provide us with that information.

How has it helped my organization?

Splunk SOAR has not benefited us yet because we are currently in the development process, but I believe that in the future, it will help us streamline our process and our RTR to respond and detect. It is going to help us in the future, but it has not brought us any benefit yet because we are currently building it up.

It is very important that Splunk SOAR has end-to-end visibility into our cloud-native environment. If there is no visibility, then there is no ability for us to detect on time and respond in time. It knocks out a lot of that time discrepancy.

Splunk SOAR has not yet helped reduce our mean time to resolve. It will be helping us in the future due to its playbooks and its compatibility with Mission Control and other Splunk integrations.

It has helped us with our business continuity and our ability to respond to different threats that might be out there.

Splunk SOAR has not saved us time in alert triage. We are still in the early stages of getting Splunk SOAR onboarded and developed, but I believe that it will significantly reduce our time to triage. Similarly, Splunk SOAR has not saved us time in threat response, but it will do so in the future.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools. Splunk's unified platform has been great for every organization. Every analyst has been able to use one unified area.

What is most valuable?

In Splunk SOAR, I find the playbooks valuable. We get to create multiple playbooks, and within each playbook, there is a different type of investigation attached to it, which helps out an analyst or new analysts coming on board. When they get an incident, they do not need to find out where to start. All they have to do is to go to a particular playbook. It will give them end-to-end specifics on what to do and how to process it.

What needs improvement?

They can improve what they are currently doing. They can provide more playbooks or at least template playbooks that are in their repository. That is one area.

Another area would probably be related to onboarding different playbooks or different tool sets that new engineers have. Eventually, they will get there to ingest more tools and datasets into their SOAR. 

In terms of additional features, it is hard to say. There can be more integration with other data ingestion platforms out there, not just Splunk.

For how long have I used the solution?

We have been using it for about one month.

What do I think about the stability of the solution?

We have not played with it too much yet. Once we are able to play with it more and get more details from it, we can respond to that.

What do I think about the scalability of the solution?

It can be very scalable just because of the number of different apps that the community pushes to it. Right now, it is not there yet, but I believe in the near future, it is going to be the best growing platform out there.

How are customer service and support?

Splunk's customer service is great and impeccable. I believe that they have been a very valuable resource to our organization and our team.

I would rate their support an eight out of ten just because I believe that no one really gets a ten. It is an eight just because the answers that they cannot answer for us, they are able to get from the community. The community really helps out, but they are always there to help, and they are always responsive.

How was the initial setup?

We are using Splunk Cloud, the public cloud, but we also have on-prem. We use AWS.

As the initial start of the Splunk SOAR, we are getting started with developing the playbooks and getting the configurations set up with our users and toolsets. It has been pretty easy so far. I have not had any hiccups, but we will see where that takes us as we finish our development.

What about the implementation team?

We did not use any integrator or reseller.

What was our ROI?

We have just started getting our metrics developed, ingesting into Splunk, and showing that to the executives.

What other advice do I have?

I would rate Splunk SOAR a nine out of ten just because it does hit all points for the use cases as an analyst, engineer, or developer. It allows us to automate and orchestrate all of our detections and respond to them very quickly.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Splunk SOAR
October 2024
Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,562 professionals have used our research since 2012.
reviewer2499669 - PeerSpot reviewer
Cyber Defense Center Capability Lead at a financial services firm with 1,001-5,000 employees
Real User
Top 20
Helps analysts with investigations by automating repetitive tasks and presenting them with scripts that include user lookups, and other information
Pros and Cons
  • "We are not a 24/7 SOC, so the most valuable feature of Splunk SOAR is the auto-response to threats when we are not in the office and the notifications that it sends to the on-call engineer."
  • "It would be ideal for us if Splunk SOAR could integrate with Teams."

What is our primary use case?

We use Splunk SOAR to automate response for ransomware attacks.

How has it helped my organization?

We are triaging with SOAR. It helps the analysts with investigations by automating repetitive tasks and presenting them with scripts that include user lookups, and other information. It also includes widgets for notes.

Splunk SOAR has helped us save on repetitive tasks. Before we had SOAR, we used to triage in Splunk Enterprise using our app but we have migrated most of the searches into SOAR. Now with SOAR, we can get it to close the alerts we know about automatically. It is much faster so the analyst doesn't have many alerts to deal with. Now that we have migrated, we are moving more towards automation and using SOAR to work more for us. Splunk SOAR has freed up the time of three full-time analysts to focus on other tasks.

We only use Splunk SOAR on-premises, but end-to-end visibility is key to having a fast response to ransomware attacks even when we are not in the office.

Splunk has saved us time in threat response.  

What is most valuable?

We are not a 24/7 SOC, so the most valuable feature of Splunk SOAR is the auto-response to threats when we are not in the office and the notifications that it sends to the on-call engineer.

What needs improvement?

The banks have recently bought Splunk Enterprise Security. We haven't implemented it yet. It is being built. The new version coming out is going to incorporate Mission Control and SOAR. It looks like we will need to move Splunk again and do our triage in Enterprise Security. The reason we took the step to SOAR was for the functionality available for the triage which is now being incorporated into Mission Control. We can easily migrate the data over to Mission Control. For us, the next steps will be to use it as a backend server where we can run playbooks and triage in there.

It would be ideal for us if Splunk SOAR could integrate with Teams. 

For how long have I used the solution?

I have been using Splunk SOAR for three years.

What do I think about the stability of the solution?

The version of Splunk SOAR we are on now is stable. We did have issues with the failover in the early days but now with how we have it configured there is hardly any downtime.

What do I think about the scalability of the solution?

We use about one point six terabytes of data per day with Splunk with about 6,000 users. We don't need it to scale at the moment.

How are customer service and support?

We use Splunk technical support a lot. They are good and we have a good relationship with our Account Manager who helps us with the tickets and provides us with articles.

Splunk technical support wasn't always readily available, and in one instance, a support representative didn't have the expertise to resolve our specific problem.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Before Splunk we had our analyst log in manually to Carbon Black. No tool automated the tasks until we switched to Splunk.

How was the initial setup?

We had to get a small engineering team of about three people to be dedicated to Splunk SOAR so we could have Splunk professional service come in and give us a startup. That worked well. They passed their knowledge to our engineering team and we maintain it in-house now.

What about the implementation team?

The implementation was completed with the help of the Splunk professional services team.

What's my experience with pricing, setup cost, and licensing?

I found the price of Splunk SOAR to be good.

What other advice do I have?

I would rate Splunk SOAR nine out of ten.

Our initial Splunk installation was a successful proof of concept but needed to be made more reliable. Splunk professional services offered assistance, but due to limitations in finding a suitable SOAR solution, we opted for a cold standby implementation. This allows us to switch to the standby instance if the primary SOAR becomes unavailable.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
reviewer2239854 - PeerSpot reviewer
Cyber Security Architect at a financial services firm with 201-500 employees
Real User
Top 20
A stable solution that can be used for security, but its version upgrading requires expertise and time commitment
Pros and Cons
  • "The most valuable feature of Splunk SOAR is the automated playbooks, which saves analysts time."
  • "Splunk SOAR should improve its ease of upgrade, which is a pain point for us right now."

What is our primary use case?

We use Splunk SOAR mainly for security.

What is most valuable?

The most valuable feature of Splunk SOAR is the automated playbooks, which saves analysts time. The results that are returned provide additional context that we would have to look up manually in different tools. Splunk SOAR provides it in one pane of glass.

What needs improvement?

Splunk SOAR should improve its ease of upgrade, which is a pain point for us right now. Each upgrade to the version requires expertise and time commitment. Then, we usually have to troubleshoot it with support.

For how long have I used the solution?

I have been using Splunk SOAR for two years.

What do I think about the stability of the solution?

Except for the upgrade challenges, Splunk SOAR is stable when it's operational.

What do I think about the scalability of the solution?

Splunk SOAR is a scalable solution.

How are customer service and support?

Splunk SOAR's technical support has been responsive. We have to go through tiers to get to the correct person for support.

How would you rate customer service and support?

Positive

How was the initial setup?

Splunk SOAR's initial setup is complex.

What about the implementation team?

The solution's deployment requires Splunk's outsourced professional services, who take care of the complexity for you. The professional services were good, and they knew what needed to be done for the solution's implementation.

Two people were required for the solution's deployment. These two people were responsible for administration, the use cases we needed to develop, our integration with the platforms, and integration with Splunk Enterprise.

What was our ROI?

We've had some challenges justifying our return on investment because of the development work and the continual efforts to maintain the solution. We haven't seen the return on investment yet, but I'm hopeful it can get us there.

What's my experience with pricing, setup cost, and licensing?

Splunk SOAR is an expensive solution for an organization of our size. I don't like the solution's licensing model.

Which other solutions did I evaluate?

Before choosing Splunk SOAR, we evaluated other options. Splunk SOAR easily integrated with our Splunk solution, which was our main key. We are already a Splunk customer, which made the contracting easy.

What other advice do I have?

Our organization monitors multiple cloud environments. Monitoring multiple cloud environments using Splunk SOAR is fairly easy when the integrations work. Some apps within Splunk SOAR require you to configure them and ensure they maintain their connection and that they're updated. We've had several issues with third-party ones and those developed by Splunk.

It is important for your organization that Splunk SOAR has end-to-end visibility into your cloud-native environment. We're security-focused, and we want to be able to look at the logs that are in our native applications.

For the use cases we've implemented, Splunk SOAR has helped reduce our mean time to resolve. However, there's been a lot of time to develop that. Overall, I haven't seen that I've saved time yet, but I expect we will in the future. Splunk SOAR can save the analyst up to 30 minutes for a single malware analysis playbook.

Overall, I rate Splunk SOAR a six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Volodymyr-Savov - PeerSpot reviewer
Splunk BDM at Clicko
Real User
Top 10
Is user-friendly, integrates well, and is stable
Pros and Cons
  • "Splunk SOAR's quick response to incidents is the most valuable part."
  • "The cost of Splunk SOAR has room for improvement."

What is our primary use case?

Splunk SOAR streamlines the handling of common customer scenarios that arise across diverse situations. Even when specific expertise within our team varies, Splunk SOAR empowers all users with pre-built playbooks, guiding them through the required actions in any circumstance.

How has it helped my organization?

Splunk SOAR's UI is user-friendly for managing workflows.

The integration of Splunk SOAR is good.

When we implemented Splunk SOAR we were able to reduce our team of five down to three.

What is most valuable?

Splunk SOAR's quick response to incidents is the most valuable part.

What needs improvement?

The cost of Splunk SOAR has room for improvement.

For how long have I used the solution?

I have been using Splunk SOAR for a couple of years.

What do I think about the stability of the solution?

Splunk SOAR is stable. We have not heard of any issues from our customers.

What do I think about the scalability of the solution?

Splunk SOAR is scalable.

What's my experience with pricing, setup cost, and licensing?

The cost is high and the licensing is on an annual basis.

What other advice do I have?

I would rate Splunk SOAR an eight out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Sr. Principal Info Sec Analyst at a tech vendor with 5,001-10,000 employees
Real User
Top 10
Helped eliminate repetitive and redundant tasks, but custom functions and reporting need a lot of work
Pros and Cons
  • "When you design a playbook, you can integrate multiple log sources and define rules... After that, the platform automatically compiles all these activities and, based on the results, the analyst only has to indicate whether the result is a true or false positive. That reduces the time and effort involved."
  • "Suppose I am initially granted user rights or analyst rights, but later on, I also get admin rights. SOAR is unable to amend the limitations of my role. I raised a support ticket with Splunk about this. They said it's a bug in their 5.3.5 version. To fix this, I had to reinstall the entire platform from scratch.."

What is our primary use case?

I'm using it mainly for SOC automation and reporting. It's for incident and threat modeling, incident reporting, and triage.

I come from a cybersecurity background and I used to work on the tickets for the security alerts we received from various sources, including Splunk and other SIEM tools. The major challenge was that we were occupied with a lot of noise and activities like validation of IP reports, DNS checks, and traffic monitoring. These were redundant activities that every analyst had to do. We wanted to stop these kinds of activities. 

How has it helped my organization?

Splunk SOAR has multiple integrations with various tools, such as VirusTotal. Once we purchased those tools from the respective owners and automated them, the kinds of redundant activities we were having to do were almost immediately stopped.

Also, the ingestion of multiple log sources together helped us eliminate false positives. Using the SOAR platform, our monthly alert count was reduced from 1,100 to 200 or 250. That was the best impact we have seen from implementing SOAR in our environment.

It has reduced our mean time to detect and mean time to respond, from 20 to 30 minutes to just 5 to 10 minutes. In cybersecurity, every moment can be a ticking time bomb for us. We need to get to a solution immediately, whenever any incident is triggered in our environment. SOAR has helped us a lot.

Using this platform has resulted in a better work-life balance for my team.

What is most valuable?

One of the features I like most is playbook creation, and custom functions are another. 

When you design a playbook, you can integrate multiple log sources and define rules. That used to be done by the analysts by going to the respective tools and doing tasks manually. Now, with playbook design, writing down those rules is a one-time activity that a SOAR admin has to do. After that, the platform automatically compiles all these activities and, based on the results, the analyst only has to indicate whether the result is a true or false positive. That reduces the time and effort involved. Our KPIs have greatly improved. An incident that used to take 15 to 20 minutes, was reduced to five minutes. This helped us speed up our response to any alert, whether it was a true positive or false positive.

Another of the best parts of the SOAR platform is its ability to integrate with other systems and applications. It provides API integrations and, through them, I can limit the rights for the tool, which is good. If I want to integrate any of the applications with CrowdStrike, but only for incident-review policies or just to review the work automation, I can grant rights only for those purposes. That is one of the best features available in SOAR. It is very easy to implement and very user-friendly.

What needs improvement?

The visibility of the solution’s playbook viewer depends on the right you assign to the analyst. SOAR has the flexibility to distinguish between the roles of analyst and owner. If the analyst's role is to just work on a ticket, they cannot view the playbook design platform. That is limited to the owner. That can be both a good and bad thing.

A major problem I have faced in SOAR's rights distribution is roles and responsibilities. Suppose I am initially granted user rights or analyst rights, but later on, I also get admin rights. SOAR is unable to amend the limitations of my role. I raised a support ticket with Splunk about this. They said it's a bug in their 5.3.5 version. To fix this, I had to reinstall the entire platform from scratch, just to amend the rights and responsibilities of one role. This bug was not fixed.

Also, the latest GUI is terrible. The previous one was better.

Another point is that while using Splunk SOAR in an investigation is not difficult, there are some complex parameters. We have SOAR case management, but the licensing is going to put a big hole in your pocket. Also, there is an issue with investigation node addition. When you are doing node additions you cannot grant the entire environment to have SOAR visibility into the incident. So when you integrate it with an ITSM tool, like ServiceNow or Jira for ticketing purposes, there is a challenge. When you do nodes for investigation on a regular basis, sometimes it does not update our ServiceNow platform, which is terrible. It is a redundant activity for an analyst to update that in the case management as well as in the ITSM tool. Although SOAR provides integration, the functionality of investigation and nodes is terrible when it comes to integration.

An additional area for improvement is custom function creation. It's terrible. A newbie cannot create custom functions right away. They would require a solid understanding first.

Also, the reporting is really awful. If I want to do a report for a customized time period, such as the last three days or the last four days, or from the 10th to the 12th of June, that is not available in SOAR at all. That kind of feature is available in Cortex XSOAR. Reporting is a real challenge.

For how long have I used the solution?

I have been using Splunk SOAR for four years.

What do I think about the stability of the solution?

It's a stable environment. I don't have any complaints about it in terms of its stability.

What do I think about the scalability of the solution?

Aside from the issue I described where I started with an analyst's role in the solution and then was granted an admin role but the privileges remained those of an analyst, and I had to reinstall the entire platform, overall, the scalability is good.

How are customer service and support?

We have contacted their tech support many times. They are readily available if I raise a P-1 ticket, because SOAR is not something we can work without. Their support is good and more capable than the SME we hired.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

Before SOAR was purchased by Splunk, it was named Phantom and that is what I have worked with most of the time. I have also worked on Demisto, which is now Palo Alto Cortex XSOAR. That was a bit more user-friendly compared to Splunk SOAR.

How was the initial setup?

The initial deployment of SOAR is very complex. In my previous company, the deployment took me almost 10 days, and that was with a Splunk SME sitting with us. We paid them money to have the SME, but even he was unable to do what we needed to be done. Later on, we raised a support ticket with them and there were multiple escalations from our upper management to the Splunk management team. They then sent a good technical guy and he fixed the issue within five minutes. Before that, we were unable to do the DR instance. It took around 10 to 15 days just to fix that.

It's very difficult to install. No newbie could install SOAR on his own. He will require support. Here, I'm specifically talking about the later versions, not Phantom, rather once it became Splunk SOAR v5.3.5.

We had three people involved.

There is some maintenance. For example, it was using Python 2.7 and then there was the decommissioning of that version and the move to Python 3.x. That meant upgrading all the playbooks.

What's my experience with pricing, setup cost, and licensing?

It's very overpriced because it is based on the number of users. There is no bulk licensing.

What other advice do I have?

My advice would be to negotiate the cost. And if your organization is on the smaller side, with between 200 to 500 employees, you should not purchase it because it will blow up your finances. A bigger environment, with 2,000-plus employees, can go with the Splunk SOAR solution.

And if you are going with this solution, you should confirm what support they are going to provide, such as whether they are going to provide training credits or not. Sometimes they don't provide Splunk credits for training. Any newbie who is going to work on this will find it terrible to work in this environment. He will not be able to work without guidance. Other SOAR solutions, like Demisto (Cortex SOAR) are very user-friendly.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Filip Stojkovski - PeerSpot reviewer
VP - Security Automation Lead at a financial services firm with 10,001+ employees
Real User
Feature rich, useful automation playbook, and reliable
Pros and Cons
  • "I have found all the security automation platform features of Splunk SOAR to be good. The Automation playbook development is highly useful."
  • "The Splunk SOAR platform was not designed specifically for case management which is why this area needs improvement."

What is our primary use case?

Security Operations and Incident response processes automation and alerts enrichment.

What is most valuable?

I have found all the security automation platform features of Splunk SOAR to be good. The Automation playbook development is highly useful.

What needs improvement?

The Splunk SOAR case management feature lacks some of the functionalities like the possibility to fully customize the fields for the tickets/events and create custom statuses. 

For how long have I used the solution?

I have used Splunk SOAR within the last 12 months.

What do I think about the stability of the solution?

Splunk SOAR is a stable solution.

What do I think about the scalability of the solution?

The scalability of Splunk SOAR is good.

We have approximately 100 people using this solution in my organization.

How are customer service and support?

The technical support is good.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup of Splunk SOAR is complex. It has multiple integrations, deployable on many different development infrastructure stages of production. It has a full life cycle.

What about the implementation team?

We have approximately two people for the maintenance and support of Splunk SOAR.

What's my experience with pricing, setup cost, and licensing?

The price of Splunk SOAR is reasonable.

What other advice do I have?

My advice to others is they will need some Python developers for Splunk SOAR because it's not possible to only throw some blocks of Python code and it will work. You will need some experienced Python developers if you want to work with this platform.

I rate Splunk SOAR a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Tarun Singh - PeerSpot reviewer
Deputy Manager at a tech vendor with 10,001+ employees
Real User
Top 10
Multiple deployment options, simple customization, and highly mature functionality
Pros and Cons
  • "The most valuable feature of Splunk SOAR that stands out is it has a great SOAR. The automation and orchestration module is highly mature. A lot of use cases are on user entity and behavioral analytics (UEBA), which is artificial intelligence and machine learning-based (AIML)."
  • "Splunk SOAR can improve IoT/OT security-related case studies or your use cases. Their integration with identity and access management (IAM) solutions is a bit shaky. They don't have good integration with a lot of IAM solutions. They do have good capability in terms of user access management internally, but even with privileged user access, they have a good module. However, if they have to integrate with solutions, such as CyberArk or IBM IAM solutions they are lacking, the visibility of user access is not that much."

What is our primary use case?

Splunk SOAR can be deployed on the cloud, on-premise, and hybrid. If you want to put it to your cellphone or public cloud to use cloud services, such as Amazon AWS or Google Cloud Platform it is possible.

The main usage is for security monitoring, insider threat protection, user and entity behavioral analytics (UEBA), Security orchestration, automation, privileged user and account protection, and security against attacks, such as phishing and advanced malware attacks.

What is most valuable?

The most valuable feature of Splunk SOAR that stands out is it has a great SOAR. The automation and orchestration module is highly mature. A lot of use cases are on user entity and behavioral analytics (UEBA), which is artificial intelligence and machine learning-based (AIML).

What needs improvement?

Splunk SOAR can improve IoT/OT security-related case studies or your use cases. Their integration with identity and access management (IAM) solutions is a bit shaky. They don't have good integration with a lot of IAM solutions. They do have good capability in terms of user access management internally, but even with privileged user access, they have a good module. However, if they have to integrate with solutions, such as CyberArk or IBM IAM solutions they are lacking, the visibility of user access is not that much.

For how long have I used the solution?

I have been using Splunk SOAR for approximately 10 years.

What do I think about the stability of the solution?

The stability of Splunk SOAR is good.

What do I think about the scalability of the solution?

Splunk SOAR is highly scalable.

How are customer service and support?

I rate the support from Splunk SOAR a three out of five.

The support knowledge of use cases from the telecom industry, and IoT industry are good. They're good at accommodating normal IT use cases, but when it comes to operating our OT devices, or telecom-related use cases, they're not really flexible or good at it. In terms of developing use cases for them, they are not that good. For example, if they are approached by some vendor and they say, "Devise up some use cases for Nokia and Huawei", these are our basic telecom providers, it's really difficult for Splunk SOAR to make use cases for them. They're good at IT, but they're not good at OT and IoT.

How was the initial setup?

Splunk SOAR is easy to deploy. It has a lot of already built-in use cases, and it is very easy to customize. For the deployment of Splunk SOAR, it takes approximately two engineers. For a medium complexity, 3000 DPS-sized deployments, it will take a half month. If there are a lot of custom use cases, you can add another month for those customizations to be completed.

What about the implementation team?

We need approximately four to five engineers for maintenance for a dedicated sizing. If you are going for a shared model, then two to three engineers would be sufficient. Both have 24 hours a day seven days a week operating windows.

What was our ROI?

I won't say ROI's not there for Splunk SOAR. It's a value-for-money solution, but if they charge less, then it will bring more value. Currently, the ROI is flat, you will hardly have an ROI.

What's my experience with pricing, setup cost, and licensing?

Splunk SOAR follows very flat pricing and most of the time it's very high when compared to the other competitors. They can improve their pricing. The licensing model is a subscription and is consumption-based.

What other advice do I have?

I rate Splunk SOAR an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2024
Buyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros sharing their opinions.