Try our new research platform with insights from 80,000+ expert users
Tarun Singh - PeerSpot reviewer
Deputy Manager at a tech vendor with 10,001+ employees
Real User
Top 10
Multiple deployment options, simple customization, and highly mature functionality
Pros and Cons
  • "The most valuable feature of Splunk SOAR that stands out is it has a great SOAR. The automation and orchestration module is highly mature. A lot of use cases are on user entity and behavioral analytics (UEBA), which is artificial intelligence and machine learning-based (AIML)."
  • "Splunk SOAR can improve IoT/OT security-related case studies or your use cases. Their integration with identity and access management (IAM) solutions is a bit shaky. They don't have good integration with a lot of IAM solutions. They do have good capability in terms of user access management internally, but even with privileged user access, they have a good module. However, if they have to integrate with solutions, such as CyberArk or IBM IAM solutions they are lacking, the visibility of user access is not that much."

What is our primary use case?

Splunk SOAR can be deployed on the cloud, on-premise, and hybrid. If you want to put it to your cellphone or public cloud to use cloud services, such as Amazon AWS or Google Cloud Platform it is possible.

The main usage is for security monitoring, insider threat protection, user and entity behavioral analytics (UEBA), Security orchestration, automation, privileged user and account protection, and security against attacks, such as phishing and advanced malware attacks.

What is most valuable?

The most valuable feature of Splunk SOAR that stands out is it has a great SOAR. The automation and orchestration module is highly mature. A lot of use cases are on user entity and behavioral analytics (UEBA), which is artificial intelligence and machine learning-based (AIML).

What needs improvement?

Splunk SOAR can improve IoT/OT security-related case studies or your use cases. Their integration with identity and access management (IAM) solutions is a bit shaky. They don't have good integration with a lot of IAM solutions. They do have good capability in terms of user access management internally, but even with privileged user access, they have a good module. However, if they have to integrate with solutions, such as CyberArk or IBM IAM solutions they are lacking, the visibility of user access is not that much.

For how long have I used the solution?

I have been using Splunk SOAR for approximately 10 years.

Buyer's Guide
Splunk SOAR
October 2024
Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,763 professionals have used our research since 2012.

What do I think about the stability of the solution?

The stability of Splunk SOAR is good.

What do I think about the scalability of the solution?

Splunk SOAR is highly scalable.

How are customer service and support?

I rate the support from Splunk SOAR a three out of five.

The support knowledge of use cases from the telecom industry, and IoT industry are good. They're good at accommodating normal IT use cases, but when it comes to operating our OT devices, or telecom-related use cases, they're not really flexible or good at it. In terms of developing use cases for them, they are not that good. For example, if they are approached by some vendor and they say, "Devise up some use cases for Nokia and Huawei", these are our basic telecom providers, it's really difficult for Splunk SOAR to make use cases for them. They're good at IT, but they're not good at OT and IoT.

How was the initial setup?

Splunk SOAR is easy to deploy. It has a lot of already built-in use cases, and it is very easy to customize. For the deployment of Splunk SOAR, it takes approximately two engineers. For a medium complexity, 3000 DPS-sized deployments, it will take a half month. If there are a lot of custom use cases, you can add another month for those customizations to be completed.

What about the implementation team?

We need approximately four to five engineers for maintenance for a dedicated sizing. If you are going for a shared model, then two to three engineers would be sufficient. Both have 24 hours a day seven days a week operating windows.

What was our ROI?

I won't say ROI's not there for Splunk SOAR. It's a value-for-money solution, but if they charge less, then it will bring more value. Currently, the ROI is flat, you will hardly have an ROI.

What's my experience with pricing, setup cost, and licensing?

Splunk SOAR follows very flat pricing and most of the time it's very high when compared to the other competitors. They can improve their pricing. The licensing model is a subscription and is consumption-based.

What other advice do I have?

I rate Splunk SOAR an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
General Manager at Adeline
Reseller
Robust, easy to expand, and thoroughly documented
Pros and Cons
  • "Our customers find it easy to conduct searches and consider it an excellent content management system."
  • "In my opinion, the focus should be on improving its simplicity, specifically the interface, and configuration."

What is our primary use case?

We use Splunk SOAR internally.

We are resellers and an integration company.

What is most valuable?

Our customers find it easy to conduct searches and consider it an excellent content management system.

What needs improvement?

The initial setup could be simplified.

In my opinion, the focus should be on improving its simplicity, specifically the interface, and configuration.

For how long have I used the solution?

I have been familiar with Splunk SOAR for six years.

What do I think about the stability of the solution?

In our experience, Splunk is very good. When it comes to stability, it's the best of the best. 

We have worked with many other products, and we have not encountered any issues or received any negative feedback regarding Splunk's stability.

What do I think about the scalability of the solution?

Splunk SOAR is a scalable product.

Splunk is used by 20 of our customers. They are large enterprises such as banks and government agencies.

How are customer service and support?

My engineer recently stated that there was no need to reach out to Splunk support because the product is very stable and well-documented.

Which solution did I use previously and why did I switch?

We work with both Splunk Enterprise and Splunk Enterprise Security.

We only have limited expertise with Splunk SOAR.

We work with various other products besides Symantec. Around six or seven years ago, we also worked with Symantec, where we evaluated Symantec Closet, our Configuration Management (CM) solution. However, we eventually chose Splunk as our preferred product and currently use only Splunk, not any other products.

How was the initial setup?

The initial setup is complex.

We don't have much experience with this project as we have only been working with it for a year. I may not be able to provide you with extensive information about it.

What's my experience with pricing, setup cost, and licensing?

In my opinion, the price is high, but if you want good products, you have to be willing to pay for them.

There is a licensing fee required.

I believe that the cost per customer typically ranges from one hundred thousand to one million US Dollars.

Which other solutions did I evaluate?

I believe that Splunk is essential for us and our customers, and we require qualified engineers to use it effectively. However, if we have a skilled engineer, they will likely not have any further questions or issues with the solution.

What other advice do I have?

I would rate Splunk SOAR a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Buyer's Guide
Splunk SOAR
October 2024
Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,763 professionals have used our research since 2012.
Hari Haran. - PeerSpot reviewer
Technical Associate at Positka
Real User
Top 5
Very stable with a straightforward setup and good performance
Pros and Cons
  • "The customization continues to be excellent."
  • "In the beginning, we couldn't find any specific documents for every function. It wasn't easy to navigate to what we needed."

What is our primary use case?

We are doing some automation on the SIM and we are getting some SIMS and we are looking for some automation to improve the security environment. That's how we are currently using Splunk.

What is most valuable?

Comparing this product to other SOAR tools, most of the items are the same, however, the UI of Phantom is pretty good if you compare it against other SOAR tools.

The work formation and the templates based on some use cases all look good.

The product is very easy to use and has a very good user experience.

The solution is very stable.

The initial setup is pretty straightforward.

We've found the written documentation to be excellent.

The performance is very good.

We've found the solution has recently improved its UI.

The customization continues to be excellent.

What needs improvement?

In the beginning, we couldn't find any specific documents for every function. It wasn't easy to navigate to what we needed. However, lately, it has improved and we are able to find Splunk documents for all the functionalities of Phantom. 

It would be helpful, on the other hand, if there were videos regarding each functionality. That would make it even easier to work with Phantom. We are able to find some documentation in written form, and that's fine. If it is in a video format, then it would be better due to the fact that, in some environments, we find some other issues or something and it would be nice to have a visualization of the process.

The solution is a bit more expensive than other offerings.

I'd recommend that the solution add some new apps, or some average services, like bots or G-Suite. We may already have G Suite in Phantom. Bots, like any common VPN service, would be great, however.

For how long have I used the solution?

I've used the solution for about one year or so. It hasn't been an extremely long amount of time just yet.

What do I think about the stability of the solution?

We haven't had any stability issues at all. It doesn't crash or freeze. It's not buggy. There aren't glitches that I've seen. It seems very stable and very reliable. 

We have had an issue related to the firewall. However, that had nothing to do with Splunk directly.

What do I think about the scalability of the solution?

We have five or six individuals that handle Phantom at any given time, as needed.

We didn't try to scale Splunk due to the fact that we already have a VM and we are working on that. We don't use Phantom too much as we have some community license. Based on the license, we are running simple actions only, and therefore we are not giving that much of a workload to Phantom.

How are customer service and technical support?

I haven't been in contact with technical support at all. I can't speak to their responsiveness or how helpful they would be.

That said, some of my colleagues have done a boot camp with technical support, and they likely have had contact. I haven't heard of anything negative.

Which solution did I use previously and why did I switch?

I didn't previously use a different tool. This is my first SOAR tool. I've also used Demisto. These are the two tools that I have and that I currently work with.

It's my understanding, from a customer's perspective, that the better solution is Demisto based on licensing costs, however, in terms of the performance and efficiency involved, it's Phantom. Phantom is a bit more expensive in general.

How was the initial setup?

The initial set up seems pretty easy. While I didn't personally handle any part of it, it's my understanding that it's not a big issue to implement everything. We were able to install the file easily. It was straight forward. When we were handling the clustering part, it was a little difficult as we had some license issues. We need a license to get that clustering part set up. It would be ideal if they offered at least a trial license so that we could see how it works and the formation, etc. Right now, without any license, we aren't able to do this clustering part.

I'm unsure as to how maintenance is handled on the solution. I believe we need to handle it manually as we did not install any bot that would handle anything. There may be alternative workarounds in newer versions.

What about the implementation team?

I'm not working deeply on Phantom. In fact, I'm concentrating more on SIM. My colleagues are the ones working on Phantom. Therefore, I'm not sure if we actually had outside assistance or handled everything internally.

What's my experience with pricing, setup cost, and licensing?

We use a community license. We don't have to pay for any actual licensing. However, the solution, when you have a paid version, is quite costly. That said, in terms of performance, it's worth the extra cost. Also, it's my understanding that everything is included in the licensing cost, once you pay for the product. There aren't any added fees.

What other advice do I have?

We have a business relationship with Splunk. We're partners.

We're using the solution on our VM and also on our database cloud.

I'd recommend the solution to other organizations. Compared to other products, Phantom seems to be easy to use and the ability to customize is high. Compared to the older version, the newer version is very customizable. We can very easily create custom functions. The UI looks good and is also improved. 

I would rate the solution eight out of ten.

Which deployment model are you using for this solution?

Private Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Chief Technology Officer at Globalnet Research Corporation
Reseller
Good protocol flexibility and team collaboration for threat detection, but the API integration needs to be expanded
Pros and Cons
  • "The most valuable feature is the risk-based access control."
  • "We want to see improvements made to the APIs such that we can connect to many different systems and data sources."

What is our primary use case?

We are a consulting firm and this is a solution that we use for ourselves, as well as implement it for our customers.

Our use case is to establish a platform for threat analysis across different data sources that we have in the company. Essentially, it is an orchestration platform and we want to make sure that we can tie into different endpoints or data sources from which traffic originates. We need to then detect and analyze threats.

What is most valuable?

The most valuable feature is the risk-based access control.

The team collaboration when it comes to detecting a threat is helpful.

I like the fact that we can leverage the API to be able to establish a connection and share information across different repositories.

The flexibility that it has when using different protocols, like TLP, for communicating, is fairly good.

This solution supports the automated handling of phishing attempts through the collection of potentially malicious emails from end-users. It analyzes them, identifies threats, and assesses risk.

What needs improvement?

Phantom was only recently acquired by Splunk so it is not fully integrated yet. Our area of concern is that Splunk Phantom works with the other Splunk products. At this point, there are certain things that are not fully operational across the rest of the product line.

The extension of the product to allow for better integration with other data sources is something that needs attention. We want to see improvements made to the APIs such that we can connect to many different systems and data sources.

The search capability could be improved by way of better indexing and also integration with third-party solutions such as Elasticsearch.

I would like to see escalation management and integration with communication tools like Slack.

I would like to have more capability around analytics.

There needs to be a better facility for documenting and storing issues, as well as being able to find those issues. Splunk does a good job of that, so I think that it will be done.

What do I think about the stability of the solution?

The solution overall is stable, but it could be more so. It is an application server and there is a vulnerability when a traffic overload occurs, or if there is an incompatibility with a backend or another data source. There is a risk that something can freeze up.   

High Availability / Disaster Recovery (HA/DR) is key and Splunk Phantom’s product offerings must ensure sharding and clustering to enable scalability and automated failover

What do I think about the scalability of the solution?

Because this is an orchestration platform, it's supposed to offload the users from being directly involved in looking at and analyzing security issues. It is something that you just let run. From an administration standpoint, we have a team of ten people that work around this platform.

How are customer service and technical support?

Prior to Splunk acquiring Phantom, the support for this solution was subpar. Now, however, the support model has changed and it is pretty reasonable.

How was the initial setup?

The initial setup takes some time because you have to configure it and then connect it to different data sources and make sure that they operate properly. It requires an engineer who's fairly knowledgeable in security, interaction, setup, and administration.

In terms of the deployment time, I think that it is something that you can get up and running in perhaps two or three months. I don't think that you could get this up and running fully in a week, for example.

What's my experience with pricing, setup cost, and licensing?

It is a subscription-based licensing model that varies depending on how much data is processed by Spunk. There are built-in volume discounts.

There are some additional costs if you want to get some front-end support or installation or setup, which is part of professional services. There are also some modules, such as analytics, that Splunk will provide for an additional fee.

What other advice do I have?

My advice to anybody who is considering this solution is to first really understand the requirements that you have, well enough. You need to identify and understand the data sources that you need, prior to purchase, to ensure that there is a need and also that there are no issues with incompatibility or connectivity. You also need to have the right resources to assess, implement, or oversee the implementation. You're going into an environment that requires a little bit of understanding of artificial intelligence because the SOAR platform requires setting up some rules. You also need to have a technical support group in-house to be able to help, otherwise, you would be dependent on Splunk for assistance.

Overall, this product is fairly good but it's not quite mature yet. It needs some enhancement and some stabilization in some areas.

I would rate this solution an eight out of ten.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Account-Manager at Consist ITU Environmental Software GmbH
Real User
Reliable with helpful support and the capability to expand
Pros and Cons
  • "Technical support is helpful."
  • "It could be easier to implement."

What is our primary use case?

We primarily use the solution for supporting or automating the email spam items and some ISMS monitoring items, et cetera. 

What is most valuable?

I'm not implementing the solution. I'm selling the concept. Therefore, my technical knowledge is limited. 

The solution is stable. 

It is very scalable. 

Technical support is helpful. 

What needs improvement?

There are only problems if the customer is not ready with emergency plans or standard procedures if something breaks. There is some homework to be done before you can really properly use Splunk SOAR.

Resolution times could be faster in terms of support.

It could be easier to implement. 

For how long have I used the solution?

We've used the solution for two to three years. 

What do I think about the stability of the solution?

The stability of the product is pretty good. It's really stable and the customers are satisfied with the solution, however, they must be always aware that it's a living project. It's always run against hackers.

What do I think about the scalability of the solution?

It's pretty scalable. It's outstanding in administration, so you don't have to put too many HR resources on it. That's one of the advantages. The implementation must be proper and thoroughly thought through. However, afterwards it's really working very well and with less administration compared to QRadar or something like that.

We have customers that have users that range from 100 to 10,000 people. 

How are customer service and support?

The support is quite good. Sometimes, of course, you want to have a shorter resolution time, however, it also depends on the service that you buy.

How was the initial setup?

The initial setup requires some work. It may not be easy for everyone to implement. 

The deployment times differ. You can't say, for example, every time you need 100 days or 10 days or something like that. It's specific due to the use case and what you want to implement or automate.

We have around five and up to ten people in the core security team that deal with the product in terms of deployment and maintenance. 

What about the implementation team?

We are able to implement the solution for our clients. 

What's my experience with pricing, setup cost, and licensing?

Usually, you have a yearly license. However, Splunk must be more flexible and they have to be more sensitive about this topic. My understanding is that they're working on a new pricing model.

What other advice do I have?

We install the solution for our customers and use the solution as well. We're an implementor. 

I'd advise new users to start at a small scale, since you have to learn about it. You can't implement it with a big bang. You must really go through it and do your homework. You have to have your backup plans, you have to have a real transparent view of your IT landscape. If you have this and your logs are quite good and the playbooks are implemented properly, then you can really scale up. You just have to do it step by step, as it's a bit of a learning curve that you have to go through.

I'd rate the solution eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
it_user1404753 - PeerSpot reviewer
Senior Data Analyst at a financial services firm with 10,001+ employees
Real User
Great automation capabilities, easy to use, and offers good GUI
Pros and Cons
  • "So far, the interface is very easy to use."
  • "It would be ideal if we could automate processes even more."

What is our primary use case?

We're not really creating the use cases. Our internal team is developing the use cases. Right now, we have automated the whole phishing process. After that we are still planning to automate a few more things like malware investigation and then from there other processes.

What is most valuable?

We're in the POC phase. We need more time to get used to the solution and to understand it better to discover the most useful features.

So far, the interface is very easy to use.

The GUI is great.

The features in the Phantom playbook are all very good.

You can build different playbook and you can play with the playbook. One playbook can give you insights into URL applications, one playbook you can give the reputation about the file access. You can build different playbooks and after integrating all the playbooks you can come up with some organizational directions and decisions. It will give you very good insights into various incidents.

The solution is great for automating redundant work.

It's difficult sometime to manage the amount of reported suspicious emails. Using an intervention like this solution helps make that task easier.

What needs improvement?

We haven't had too much experience on the solution.

The solution is relatively new in the market.

It would be ideal if we could automate processes even more.

The interface is great, however, they could still keep refining it to make it even more user friendly.

For how long have I used the solution?

We have used the solution over the past year.

Which solution did I use previously and why did I switch?

At a previous organization, I did work with another tool in Beta. It was able to provide UVA capacity. I'm not sure if they used a different tool at this current organization.

The Phantom has better GUI, however, I'm not able to clearly see the risk fabric.

How was the initial setup?

I wasn't part of the deployment team. I have no idea if the initial implementation is straightforward or complex.

Technically, we are still in the deployment phase. We haven't finished yet. We are yet to go live. IN the next few weeks we'll go live, however, only on the phishing features.

Which other solutions did I evaluate?

I'm not aware of the company looking into other options before choosing this solution. All of this was handled by the procurement team, and I am not a party to their decision-making process.

What other advice do I have?

I'm not sure which version of the solution we're currently using.

If a company wants to automate redundant work, this solution is perfect for that. Very specific processes can be easily automated to save time. That way, analysts can invest their time elsewhere. Phantom is one of the great tools for reducing redundancies. 

I'd rate the solution eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Technical Lead at Paladion Networks
Real User
Good security orchestration and when we face challenges with it we can find a solution in the documentation
Pros and Cons
  • "Very flexible integration with other tools"
  • "And most of the challenges that I have faced with the solution can be found in the documentation itself."

What is our primary use case?

Our primary use case of the solution is for fine tuning. We provide professional services for our customers to enhance their ability to use the functionalities of Splunk. We're integrators of the solution. 

What is most valuable?

The most valuable feature of Splunk is a very flexible integration with other tools. Compared to other products in the market, Splunk is very user friendly, and not very complicated. It integrates with most of the endpoints and that's a very positive side of the solution. There's no need to remember a lot of things and documentation is great. I really appreciate that aspect. Since it is cloud-based there is a lot of flexibility. And most of the challenges that I have faced with the solution can be found in the documentation itself.

At this point, I'm very happy with the solution. There's nothing there that disturbs me. Security orchestration is a new emerging issue in the market. If I have to compare with other security orchestration tools, Splunk is a good solution. Many vendors have opted for Splunk because of easy usability and connectivity to radius devices.

For how long have I used the solution?

I've been using this solution for about six months. 

What do I think about the stability of the solution?

Stability is good

What do I think about the scalability of the solution?

Scalability is good, allows flexibility. That's what makes life easy. 

How are customer service and technical support?

There's great documentation and most of the challenges I've faced, I've found the solution via the documentation. I've never contacted the technical support which attests to the quality of the documentation. 

Which solution did I use previously and why did I switch?

I know RSA and Splunk are similar solutions even though I've never used RSA. I know that Splunk is user friendly and doesn't require in-depth knowledge. Everything is file based, applications like RSA rely on databases. I have the confidence of being able to use Splunk efficiently and there are a lot of features I can handle myself the way I want to. 

How was the initial setup?

Initial setup is very straightforward and simple. Much easier than other tools, it takes a couple of days depending on the architecture. 

What's my experience with pricing, setup cost, and licensing?

The solution is for our clients so we don't deal with the licensing aspect. 

What other advice do I have?

It's important to know your customer's requirements so you can choose the correct solution. The budget also needs to be taken into account. Most customer's budgets suit a Splunk solution whereas RSA is much more expensive. 

I would rate Splunk Phantom a seven out of 10. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
PeerSpot user
Senior Analyst at a computer software company with 11-50 employees
Real User
Easy to install wth good documentation and automation capabilities
Pros and Cons
  • "The automation part of the product is great."
  • "The scalability could be better."

What is most valuable?

The automation part of the product is great. 

Splunk SOAR can easily be connected with a lot of solutions that are available out there. The in-built apps are pretty useful to me.

It's easy to install and offers good documentation. 

What needs improvement?

I don't have much experience with that. I'm not sure as I don't have much technical knowledge about SOAR in general. I have a little bit of experience with SOAR. I can't speak to any shortcomings right now. 

The scalability could be better.

It's an expensive solution. 

For how long have I used the solution?

I've worked with the solution for the last year or so.

What do I think about the stability of the solution?

The solution is stable. There are no bugs or glitches and it doesn't crash or freeze. It's reliable. 

What do I think about the scalability of the solution?

We faced a couple of issues scalability-wise, I would say it is average. 

How are customer service and support?

I've never contacted technical support. I wouldn't be able to comment on their level of helpfulness. 

How was the initial setup?

The solution's initial setup is easy and straightforward. They do offer great documentation, which helps with the process.

I'm not sure how many people were involved in the deployment or maintenance of the product. 

What about the implementation team?

I can't speak to if consultants or integrators were involved. I just have general knowledge of the setup and the solution itself. 

What's my experience with pricing, setup cost, and licensing?

I use a trial version, not an actual version. We are partners. We have our work license. My understanding is that the cost is pretty high compared to others, however, I'm not sure of the exact price. 

Users just need to pay for their package. There are no add-on costs on top of that. 

Which other solutions did I evaluate?

I'm not able to compare it with other solutions as I don't have experience with other solutions.

What other advice do I have?

We're a Splunk partner. 

I'm dealing with the latest version of the solution. 

I'd recommend the solution to companies just starting out. 

I would rate the solution eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2024
Buyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros sharing their opinions.