Splunk SOAR Reviews

I work with Splunk SOAR as well. We mostly use it for phishing-related use cases, brute force-related use cases, and port scan-related use cases. There are many other use cases beyond these three that we utilize. We have ID sweep-related use cases, threat activity detected related use cases, a ransomware use case, and a malware use case. We use Splunk SOAR for plenty of use cases to automate their resolution and response.

From my perspective, the best thing that I perceive with Splunk SOAR is where it is able to consolidate the data from the different log sources, and that helps me to investigate any incident. I am ingesting from multiple log sources. If there is an incident that has been logged, I will have visibility about all the different data that are required to investigate that incident in the single pane. In the single dashboard, I should be able to visualize it. I am able to see what has happened with this incident and what action has to be taken. Automatic recommendations also come from Splunk SOAR. These are the few things that we value very much on a day-to-day basis.

Splunk SOAR has improved our MTTD and MTTR both with the consolidation with a unified platform with Splunk. Mean Time to Detect and Mean Time to Resolve were trending high before Splunk SOAR. Once we finalized and fine-tuned Splunk SOAR platform, it started trending within the limit that is defined for our organization. That's the first thing. The second thing that we have started observing is that there used to be a quality issue when it comes to investigating the incident. If an analyst investigated by looking at and correlating the data from the different sources, they always tended to make some mistake where they were overlooking some of the aspects for the incident investigation. We have improved this a lot. Since we have Splunk SOAR, where things are being automated and we are able to visualize things, we have zero or maybe no chance of missing things. That is helping us to improve the incident investigation quality. These are a few things that I will call out that has helped and that are helping on a day-to-day basis.

One thing that we would like to see with Splunk SOAR is the expandability to the threat intelligence feed. Currently, we have limited ingestion to the threat intelligence feed for the correlation purpose. We would like to see it being integrated, with license cost or without license cost, to leading threat intelligence sources such as Recorded Future, Feedly, or Flare. That is something we would appreciate having integrated. The second thing on the improvement side is about exposed credential-related information. If we start ingesting those data to Splunk SOAR or SIEM with some sort of integration with threat intelligence feed, that will also improve our detection and prediction method or help us with the investigation.

I have been working with Splunk SOAR for the last three years.

We have not experienced stability issues. We are always notified if there are any maintenance activities. The impact would always be minimal. We have not seen any impact in the work that we do with Splunk SOAR or the SIEM platform. I would rate it at 99.9 percent.

We have not experienced scalability issues as of now, but there is a plan where we should be able to expand the usage of Splunk SOAR soon.

Splunk's customer service and technical support teams are being helpful. Sometimes if they are not able to decide where the resolution should happen, we always have a customer support representative who will come in the picture and help us to direct any ticket or any issue that we are facing to the right team. I would rate eight on a scale of one to ten for the overall technical support of Splunk.

Positive

It used to be Splunk SIEM only, the simple SIEM solution before implementing Splunk SOAR. It was not open source.

The setup was smooth because we used to be a Splunk shop itself, so we just had to add Splunk SOAR on top of it. It took a couple of weeks to get everything running. There wasn't much hurdle that we had to go through. The only thing we had to focus on was automating the workflow where we had to attach the response plan and the fine-tuning in a few cases. That was something we had taken as part of business-as-usual activity.

Splunk SOAR has saved us a lot. Monthly, around 300 hours of effort, it is saving with Splunk SOAR. We used to have a large team. It is not about only hours that it has saved, but it has saved cost from the cost point of view. It has helped us where we were able to run the SOC operation with the less number of headcount versus what we used to do earlier. 300 plus hours per month it has saved, as well as from the headcount perspective, it has saved us on the costing.

I am familiar with the pricing aspect, setup cost, and licensing cost of Splunk SOAR, and it is pretty much similar to what industries are offering these days. We never had any issue when we had to set up this Splunk SOAR platform. We got all the help from the Splunk vendor itself. They had their team members come in and implement all those things. That's where we are running it from the last couple of years.

It used to be Splunk SIEM only, the simple SIEM solution before implementing Splunk SOAR. It was not open source.

Recently we had one malware alert where something occurred and we had multiple malware alerts from one system that was sent and the SIEM had flagged about it. That specific alert immediately, once Splunk SOAR started to take action, it was able to flag a recommendation and the next step. That basically helped team members to immediately contain the system and resolve that incident. Within one hour we were able to figure out what had happened and what the impacted system was that was generating the malware alert, and we were able to contain that system.

Skill-wise, we have been getting recommendations on the different training on a time-to-time basis with Splunk SOAR. We used to connect with the account manager as well where they used to facilitate or propose some of the sessions that our team could attend, so that has also been very improving and beneficial for the team.

Splunk SOAR has been helping us in terms of detecting and helping us to investigate the security alerts. We have been very much satisfied with how well this platform has been helping us and helping us to see our full infrastructure with Splunk SOAR.

The playbook integration and automation of the workflow would be something one can plan in advance regarding Splunk SOAR. Given that it had taken a lot of time and required fine-tuning, if one can focus on that aspect before even initiating Splunk SOAR, then that will ease the things once Splunk SOAR will be in operational mode. My overall rating for this product is seven out of ten.

Splunk SOAR is used for internal company operations. One of the best use cases implemented in the last three months with Splunk SOAR is automated phishing triage. Before using Splunk SOAR, if a user reported any suspicious mail, I had to manually extract IOCs such as URLs, file hashes, or IPs and then jump between a Threat Intel platform to check their reputations. It was a repetitive and time-consuming process. Now, we have a playbook that handles the initial heavy lifting. As soon as a suspicious mail is reported, Splunk SOAR automatically parses the email and extracts all the artifacts and cross-references them against our threat intel source.

The biggest valuable feature of Splunk SOAR is the integration ecosystem. Since we have used a mix of tools such as SentinelOne and Splunk, having a SOAR that connects seamlessly with everything is huge. The visual playbook editor is quite user-friendly, allowing us to map out logic visually instead of writing complex code.

Splunk SOAR has helped a lot for my team in prioritizing and responding to security alerts and incidents. Better documentation for troubleshooting has been valuable, while documentation is challenging work for us, and it can be difficult to find clear, step-by-step solutions. I would love to see a larger library of production-ready playbook templates.

The impact of implementing Splunk SOAR's automated playbooks on my security analysts' daily workload and responsibilities has been a game-changer for our SOC visibility. Before, we were dealing with large amounts of data, and I could spend way too much time manually piecing together what happened on the endpoint by jumping between different tools. Since we implemented Splunk SOAR, the correlation pulls all those different data streams into a single comprehensive timeline. I have the context I need right there on the screen. My Mean Time to Respond has dropped significantly because I'm no longer chasing false positives or alert noise.

Splunk SOAR has helped a lot to reduce my Mean Time to Resolve.

I have found a challenge in my three months with Splunk SOAR in that it is quite a heavy tool to maintain. It's definitely not a set it and forget it situation. Playbooks require constant maintenance and upkeeping. For example, if the API for one of our integrated tools changes or gets updated, the automation can break and I have to jump in to fix it.

I am satisfied with the customization and management of Splunk SOAR playbooks in my environment. Right now, the learning curve to build complex logic from scratch is a little difficult for beginners. However, the templates for common threats are easier to customize.

The use of Splunk SOAR's automation playbooks has improved how my analysts allocate their time during a typical security investigation. We don't need to see small alerts, and two analysts no longer might handle the same type of alert in slightly different ways. Now every alert goes through the same automation steps such as checking threat reputation or pulling endpoint logs every single time. It eliminates human error because I am not missing a step when I'm rushing or dealing with a high volume of alerts. It's basically given me a force multiplier. The playbook handles the boring and repetitive parts, so I can actually focus on the complex incidents that really need human insight.

There is a need for improvement in terms of using advanced terminology.

I have been working with Splunk SOAR since the last three months.

In terms of stability, overall the stability in the three months I have been using Splunk SOAR, we handle a constant flow of alerts throughout the day. The platform handles that workload without any major lag or crashing. The playbooks execute reliably every time, which is critical because if an automation tool is unstable, it just creates more work for us to verify if an action actually finished. I haven't run into any stability glitch or unexpected downtime, so I have been really confident in its ability to process our triage requests without needing any constant monitoring.

For now, we didn't encounter any challenges or limitations with Splunk SOAR. The scaling has been impressive. Since we have been using it at our organization, I have seen that the platform is built to handle enterprise-level workloads without breaking. In my three months of using it, even as our alert volume shifts or we add more playbooks to the system, the system has remained stable with lots of playbooks and other operations going in the backgrounds and backends. I really appreciate that it supports scaling. As our SOC grows, our SOC team grows, and we need to process more data or more concurrent automations, the architecture is designed to handle that load.

It has a lot of scaling capability. As I said earlier, it has improved a lot in our organization. Scaling as a junior SOC analyst isn't just about doing alerts faster; it's about shifting from being a consumer of a SOC tool to an architect of its efficiency. It is good in scaling.

We have a support team for Splunk SOAR that communicates any technical faults we encounter to the Splunk technical support.

The technical support experience with Splunk is quite good. If we get into a problem, the technical support experience is a bit good in my experience.

The support is generally a bit complicated for someone who is a beginner or new to this product to understand the scope, initial deployment, or any query regarding it.

We did also use Shuffle for a SOAR tool before Splunk SOAR.

We decided to switch from our previous solution to Splunk SOAR because Shuffle has some limitations and it doesn't have many features that Splunk provides. It is a little more complex to learn.

I was a little bit involved in the deployment part of Splunk SOAR. From that point of view, the deployment wasn't exactly plug and play, because we integrated it across our existing stack, such as our SIEM and EDR. That's a fair amount of configuration involved in it, especially getting the API keys and authentication set up correctly for each connector. It's not something you can just spin up immediately. Once the core architecture is in place and the connectors are mapped to our environment, expanding it to new playbooks is much easier.

I am satisfied with the customization and management of Splunk SOAR playbooks in my environment. Right now, the learning curve to build complex logic from scratch is a little difficult for beginners. However, the templates for common threats are easier to customize.

We decided to use Splunk SOAR because it's a powerful, reliable engine that has significantly improved our SOC operations, especially in terms of incident response time and scaling features. It's an essential tool for enterprise environments.

Our team recommended us to use and learn about Splunk SOAR, so that's why I got started with it. I really appreciate this tool because it gives us very practical knowledge about the enterprise Splunk SOAR product. I provided this review a rating of 9.

In our SOC environment, Splunk SOAR is primarily used for security tasks and repetitive security tasks. Common use cases include phishing email investigation, IOC enrichment, malware investigation, IP and domain reputation checks, and ticket creation. Whenever alerts come from a SIEM tool, Splunk SOAR automatically gathers that information from different security tools and provides analytical and required context. This has helped to reduce our manual, repetitive tasks.

For business resilience, Splunk SOAR significantly improves our incident response process. Whenever we raise a ticket, we have to follow up with the team or client to determine whether it's a true positive or false positive, or if any action has been taken. Since we have integrated with multiple devices such as firewalls, AWS, switches, routers, and servers, we can directly perform mitigation tasks from our side. We only need to integrate the client server to Splunk SOAR technology through playbooks. Playbooks help very well for our organization.

We are using two products: Shuffle SOAR and Splunk SOAR. Compared to Shuffle SOAR, Splunk SOAR's integration is very easy for multiple security tools. The second valuable feature is the playbooks and how they are very organized with standard playbooks available for incident response. Third, the visibility is very good in Splunk SOAR. These are the three things I value the most.

Splunk SOAR helps a lot with consolidating our networking, security, and observability tools. We are saving almost 200 hours compared to not using Splunk SOAR. As repetitive tasks are generally performed by our L1 team, we are saving most of our valuable time compared to the manual approach. This time is now used for investigation purposes, such as when incidents occur or when ransomware or malware attacks happen, rather than doing the same manual tasks repetitively.

The price of Splunk SOAR is high. From a price perspective, the cost for an organization is very high. The documentation and playbooks can be better. For all integration partners, not all tools are integrated with Splunk SOAR technology. Documentation and costing are two important factors that could be improved.

I have been using Splunk SOAR for one year.

I rate Splunk SOAR as nine for stability. Stability-wise, it is good. There have been no issues or errors.

Scalability depends on the integration part for Splunk SOAR. I would rate it as nine. It depends on the integration part: how many alerts there are, how many devices there are, and how we integrate those devices with Splunk SOAR technology.

I rate technical support for Splunk SOAR as eight.

Splunk SOAR is very easy to deploy. The initial setup is very easy. Multiple playbooks are available for repetitive tasks. We generally follow these for repetitive tasks. The use case design is very easy for a beginner level. However, if you want to integrate with other devices, vendor documentation is required for that integration part. For initial setup, Splunk SOAR is very beginner user-friendly for repetitive tasks.

We do not calculate ROI formally, but based on my knowledge, we can say there is a 40% return on investment with Splunk SOAR. Not every alert is generally raised to the client. We primarily raise tickets from repetitive tasks through Splunk SOAR technology, not for incidents or malware or ransomware. The time savings also contribute to the overall value.

Shuffle is open source and also good, but it has a limited scope. Splunk SOAR has a larger integration ecosystem. Shuffle SOAR is very good, but compared to Splunk SOAR, it is not as comprehensive. Scalability-wise is also better with Splunk SOAR compared to Shuffle. Splunk SOAR is suitable for a large SOC environment. We are a medium environment, so we use it for that. There is also better support from the teams and TAC teams for Splunk SOAR. Compared to Shuffle, we do not have that support, so we have to manually raise tickets to their support team and request help from them.

Splunk SOAR provides a 50% reduction in threat response time. If a multiple login failure occurs, we previously required 15 minutes to raise that ticket to the client or our teams. After implementing Splunk SOAR, it takes only one to two minutes or four to five minutes. We are saving almost 50% of the time for our customer from an SLA point of view.

Splunk SOAR rates an eight on the pricing scale, from one to ten, where one is cheap and ten is expensive.

Splunk SOAR can be used for initial repetitive tasks as it is user-friendly. If you have specialists, you can create and modify the playbooks provided by Splunk SOAR. All of Splunk SOAR implementation is basically dependent on playbooks and how you modify, edit, or implement them. If your organization has good experts on playbooks and creating playbooks, you can go with Splunk SOAR. My overall rating for this solution is nine out of ten.

My use case for Splunk SOAR is for orchestration, mostly for automation, as I work with the Security Operations Center. We have a lot of notables firing in Splunk, and in cases where there is just a need for system owners to be notified, I use this SOAR tool to send an email, send a message, or create a ticket in ServiceNow. It checks for a few parameters, and we push out an email for those kinds of things.

In terms of time savings in threat responses, as a team, we save more than 30%, estimated around 30-40%. This is because previously, analysts spent time on cases that could easily be automated, but now after implementing these automations, the load has significantly reduced, allowing us to focus on further improvements.

The best features of Splunk SOAR include its multiple capabilities. For example, if there is a malicious IP, such as from a phishing mail, we can find out the sender IP and take action based on the verdict by using multiple app connectors in Splunk SOAR.

It sends an API call to check the IP reputation and informs us if it's malicious and what actions we should take, either blocking the IP address from the perimeter firewall or storing it for future threat hunting.

It connects with multiple apps such as ServiceNow and reduces the burden on the analyst by automating processes that don't require much investigation, allowing us to generate monthly reports on tasks performed by Splunk SOAR.

There are areas for improvement in Splunk SOAR, such as the need for more code-level customizations despite providing drag-and-drop options. I feel that integrating AI for customization could streamline the process, as not everyone using Splunk SOAR has programming skills, and AI prompts would help better integrate code.

There's also a need for faster integration of multiple apps such as ServiceNow to enhance usability, as I've seen people considering other SOAR platforms that require less coding.

I have been using the product for about one year, as Splunk SOAR was quite recent.

I notice that Splunk SOAR is performing its tasks well. However, some errors require manual troubleshooting, which feels more cumbersome compared to ServiceNow, which seems more user-friendly.

Nevertheless, I find Splunk SOAR stable as it fulfills its function when everything is correctly set up.

I would rate Splunk SOAR's stability at around eight, indicating that it is quite stable with minimal downtime, bugs, or glitches.

Regarding scalability, I find it to be a nine, as we have had no issues with scaling Splunk SOAR.

I'd rate Splunk's technical support around five because compared to IBM QRadar, their support is much better. I feel Splunk should enhance their support, as it appears lacking, especially considering the costs associated with higher licenses.

Positive

Before implementing Splunk, my team primarily used QRadar in this company.

The deployment was easy and straightforward; I don't think it was complex.

I don't remember the exact time taken for deployment, but it was done quite some time ago, possibly within three to four hours, though I'm not entirely sure.

The purchase of Splunk SOAR was made through a partner purchase.

Splunk's unified platform consolidates networks, security, and IT observability tools, though I have noticed that it's an admin's task to ensure all logs are consolidated and parsed correctly. While Splunk does some consolidation, it requires manual effort to ensure that the source IPs and key values are consistent across different source types.

My advice for others looking to implement Splunk SOAR is to first conduct a proof of concept to ensure it meets their requirements. There is a perception that Splunk SOAR is costlier than other SOAR tools, so exploring options during a POC is vital to determine if it's suitable for their needs.

Approximately 50 users in my company work with Splunk SOAR, mainly the development team involved with ticketing tools, while more than 1000 use the actual Splunk.

The users are global, with deployments in three locations: India, Denmark, and the US. I would rate this product a 7 overall.

I have been working with Splunk SOAR for about two years now, and it started out of necessity as my team was primarily using Splunk for centralized logging, which became a bottleneck as we scaled to over 5,000 users and integrated more apps through Okta and Ping, exacerbated by an onslaught of account lockout alerts and impossible travel flags.

My main use case for Splunk SOAR right now is automating identity threat detection, specifically ITDR, as we deal with our 5,000 users across various SaaS applications and are overwhelmed by alerts related to breaches requiring investigations, such as impossible travel and brute force attempts.

A recent incident that highlighted Splunk SOAR's value involved one of our senior DevOps engineers being targeted by an MFA fatigue attack, where Splunk Core flagged multiple MFA prompts that would have typically alerted a SOC, but thanks to Splunk SOAR, the situation was efficiently managed without human error.

After witnessing Splunk SOAR handle that incident quickly, my team felt a significant relief as there had been skepticism about automated playbooks, yet seeing Splunk SOAR manage real-world MFA attacks transformed our perspective on automation and its benefits in reducing alert fatigue.

The preparation time for audits has dropped significantly, transforming from weeks of manual log gathering into just days, aided by the automated actions that Splunk SOAR documents in a comprehensive manner.

In my opinion, the best features of Splunk SOAR include the visual playbook editor, which serves as a lifesaver for automating responses, the app ecosystem with hundreds of pre-built apps that connect our tools seamlessly, and the orchestration capabilities that greatly enhance our security posture.

One feature that I believe deserves more recognition is the playbook debugger, which allows us to run our playbooks against real data without executing actions, and this capability has significantly built our confidence in automating processes without risking critical errors.

While I appreciate Splunk SOAR, there are areas for improvement, notably regarding the CI/CD pipeline for playbook lifecycle management, as transitioning playbooks from development to production currently feels cumbersome and requires more manual effort than I would prefer.

Expanding on the needed improvements, I find that the user interface needs refinement, especially for complex flows where nested views would enhance readability and usability, making it easier to manage extensive playbooks.

Prior to choosing Splunk SOAR, we evaluated alternatives including Palo Alto XSOAR and IBM Resilient, but ultimately selected Splunk SOAR due to its native integration capabilities and superior playbook viewer.

Splunk SOAR has saved our organization considerable time, with its automation allowing us to shift focus from managing a backlog of identity tasks to prioritizing projects such as zero trust architecture and threat hunting.

Since deploying Splunk SOAR, there has been a notable reduction in time spent on monotonous security tasks, which I estimate to be around 95%, enabling my team to focus on more strategic initiatives.

Splunk SOAR has improved our organization's business resilience by increasing response speed and reducing manual complexity, positioning us to predict issues more proactively, thereby preventing potential disruptions before they impact users.

My advice for those considering Splunk SOAR is to clarify what needs automating and to treat it as a capability-building measure, establishing clear goals and investing in a solid framework for integrating it effectively. I would rate this product an 8 out of 10.

My main use cases for Splunk SOAR are automating security response and incident response. We use Splunk SOAR for phishing campaigns and detecting any kind of malicious viruses or anything similar that is in the organization. I can provide examples of how these features benefit my organization.

The features of Splunk SOAR that I appreciate most are the integrations with all the other applications and tools. The consolidation of tools greatly impacts my organization since I have everything all in one place, which is great. 

It has saved me time in threat response since we had no wait time in threat response. Splunk SOAR has helped improve my organization's business resilience. 

My impressions of Splunk's ability to predict, identify, and solve problems in real-time are very impressive. Doing everything in real-time provides us with the best actual notifications and alerts, which really helps us a lot.

I haven't gone too far into it to see anything that needs improvement yet. We can likely include some features related to the integration with on-premises resources, rather than focusing solely on the existing automation. 

These are the additional features that could be included in the future. Splunk's Unified Platform does help consolidate networking security and IT observability tools. They should integrate Splunk Enterprise Security better into Splunk Cloud.

I have been using Splunk SOAR for a year.

The reliability of Splunk SOAR is definitely there. The stability depends on how much we scale, which is something we can determine at a later point. We have not experienced any downtime, crashes, or performance issues.

Splunk SOAR has the ability to scale quite significantly. Our organization's needs are very low, so we can't really measure the scaling. I know that it has that capability. We have not expanded usage, and the process has not been smooth.

I would rate customer service and technical support as an eight out of ten. The resources are largely community-based, which makes it more difficult with Splunk SOAR. 

While support is available, the resources around Splunk SOAR are more homegrown by other users, and discovering different troubleshooting methods is harder to do with Splunk SOAR than with Enterprise Security or other Splunk services.

Positive

Before implementing Splunk SOAR, my team used tools such as VirusTotal, hybrid analysis, and other open-source tools for detection. That's how we guided our SecOps team in performing security investigations.

In terms of deployment, there were no issues. It was pretty seamless. Some areas around the automation broker gave us a few hiccups. Otherwise, it's a seamless deployment.

We have seen ROI with Splunk SOAR. Our ROI is evident in our phishing campaigns and in detecting phishing alerts. We've seen a decrease in false positives and a significant increase in our containment.

I don't have experience with costs; management handles that aspect.

I would rate Splunk SOAR overall a nine out of ten. 

The advice I would give to other organizations considering Splunk SOAR is that if you have the license, use it; if you don't have it, find a use case for it and implement it. 

My company does not have a business relationship with Splunk other than being a customer.

I mainly using Splunk SOAR for security automation. We want to create security incidents based on monitoring data and logs in Splunk. For example, if we identify firewall issues such as unauthenticated firewall login attempts, we analyze these logs and create security incidents. Our SOC team then works on these incidents to find the resolution and take necessary actions.

We use many playbooks and customize them extensively. We have built most of our playbooks based on learnings from our experience.

Splunk SOAR is very flexible. We can use Python, which is one of the best aspects because we can write many Python-based playbooks that significantly reduce manual SOC work. Additionally, it supports all environments including on-premises, cloud, and hybrid deployments.

There are many workflows available to investigate issues, which is very valuable. Splunk SOAR provides alerts immediately whenever something wrong happens, unlike our previous Splunk alerts which we could only schedule for specific times. This immediacy is very useful.

It is also helpful for threat intelligence enrichment. When we identify threats in our logs, Splunk SOAR assists us. We frequently receive phishing IPs and phishing emails, and Splunk SOAR immediately identifies all of these and informs our full team via email.

Analysts save a lot of time with Splunk SOAR. For example, with phishing emails, we can find the email in our email logs and identify it as phishing from a specific sender. We can integrate many things with the playbook including the email ID, IP address, sender information, and email content such as links or attachments. All of these details are included in the incident and sent to ServiceNow to create an incident containing everything needed. This makes troubleshooting easier because analysts can read all information and understand the full issue, allowing them to start investigating directly or know what to do next. We can also include next steps in the playbook such as blocking the sender.

Licensing becomes expensive for large-scale automation. We currently have fewer than 50 playbooks, but if we were to go over 100 or 500 playbooks, licensing would become significantly more expensive because of the large amount of data ingestion.

To make Splunk SOAR more usable, the tool needs to be simplified. There are many other tools in the market that are very good. For instance, Torq is better than Splunk SOAR because Torq has a no-code UI where we can accomplish anything through drag and drop. In Splunk SOAR, we need to write playbooks, so the tool could be improved with drag and drop functionality or default predefined playbooks.

Another limitation of Splunk SOAR is that initial learning is required. Additionally, when a playbook fails partway through, it is difficult to identify and troubleshoot the issue.

I have been using Splunk SOAR for one year.

Splunk SOAR is a stable product. We have not experienced any downtime or issues.

Scalability will increase cost somewhat because of more data ingestion. However, there are many benefits that come with the increased cost, and the return on investment is very good compared to the cost. For example, we are paying a certain amount but receiving value equal to that investment.

Technical support was very good and very helpful. Whenever we have a problem, we raise a case and the support team comes and fixes the issue. They are very responsive.

We have never used another SOAR solution before. I am aware that Palo Alto SOAR exists, but I do not know details about it.

We did not switch from another SOAR at our current company. However, at my previous company, we were using Torq, and at my current company, we are using Splunk SOAR. This is why I am familiar with both. By comparing both products, I prefer Torq.

Deployment was very easy. We received help from Splunk support, and they provided excellent assistance, making the deployment straightforward. We experienced no challenges.

I can provide one piece of advice. Before purchasing Splunk SOAR, explore many other SOARs as well. Palo Alto SOAR is available, and I have heard of Tines, which is also a product worth considering. Based on your use cases, you can make a decision. If you are completely dependent on security automation and an incident response platform, then Splunk SOAR may be suitable. If your use case does not match this area, you should choose another SOAR or consider Torq.

Onboarding a junior analyst is somewhat complex because they need to become familiar with the UI, which is complex for new junior analysts. However, if someone has experience with Splunk SOAR and other similar tools, they can onboard easily and work on the platform effectively. I would rate this product overall as a five-star solution based on the overall experience.

The use cases that I work with mostly in Splunk SOAR include phishing email responses automation, where Splunk detects suspicious indicators such as the URL, IP, and geolocation from reputed VirusTotal or Hybrid Analysis, blocks the email directly on the gateway, quarantines it, and creates an incident if integrated with ServiceNow or other SIEM tools.

A second use case is brute force attack detection, where Splunk SOAR detects multiple login failure attempts, checks the intel to auto block the IP on the firewall, and locks the user, asking them to change their credentials.

A third use case involves malware endpoint detection, where an alert detected in an endpoint leads Splunk SOAR to isolate the endpoint, kill the malicious process, collect forensics, and notify the SOC team.

I value the Threat Intelligence Enrichment feature most in Splunk SOAR, where Splunk detects suspicious IPs and domains, scoring those IPs, geolocation, history, and activity, as well as vulnerability management that finds many critical vulnerabilities and maps them, making the job very easy; earlier, it took me two days to do this job, and now it takes only about one hour or fifty minutes.

Splunk SOAR has indeed helped improve my organization's business resilience through centralized log management, providing pre-built dashboards, threats, trends, and alerts on time; the strong saved queries in SPL allow us to automate monitoring, incident response, and create a backup plan, significantly reducing manual effort and improving the response time, thereby ensuring our business continues running without interruption.

From the improvement point of view regarding Splunk SOAR, I suggest including more types of LLM models such as autonomous AI models including Anthropic and Opus 4.6, as well as creating a playground for new users to work on these, which will significantly help solve complex problems and assist new companies in understanding how Splunk works easily.

I think the pricing and licensing of Splunk SOAR are good, but from the price point of view, it is necessary to ensure that deduplication of alerts does not exist, and that recommendations are provided to further reduce cost optimization.

Regarding the scalability of Splunk SOAR, I think you can utilize greater LLM models coming to the market to make it more scalable, faster, and optimized.

I have been working with Splunk SOAR for almost the past six or seven plus years as I have been a Splunk user from the very beginning, creating playbooks of Splunk and utilizing that, and now the Splunk SOAR orchestration part has become very clean.

I find Splunk SOAR very stable and reliable, utilizing playbook patterns and a maturity model, along with threat intelligence integration with other tools, as it has a good marketplace capable of fetching data and more.

I have not encountered any outages or glitches within my experience with Splunk SOAR.

Regarding the scalability of Splunk SOAR, I think you can utilize greater LLM models coming to the market to make it more scalable, faster, and optimized.

I have worked with Splunk SOAR's technical support or customer service, which I find to be as perfect as Splunk SIEM; I would rate them an eight out of ten.

Before Splunk SOAR, I did not use SentinelOne much, but there were some use cases in Sentinel for anomaly detection that I utilized; however, Splunk performs better in terms of phishing analysis and other related areas.

Splunk SOAR was already implemented when I started working at my current company.

Splunk's unified platform absolutely helps me consolidate networking, security, and IT observability tools, enabling collaboration in a single dashboard from the NOC and SOC perspectives to mitigate metrics related to application and data utilization and kill unknown processes from the CPU to keep the server and production running smoothly.

I have saved much time thanks to Splunk SOAR's impact, where earlier, without autonomous monitoring, users took almost one day or two days; now, a twenty-four hour job is done in almost thirty minutes.

An example where automation saved my team and helped prevent a critical security incident involves phishing email analysis; before automation, analysts manually reviewed emails, checking URLs and IP addresses, which took almost one hour, but after executing a playbook in Splunk, it automatically detects indicators such as URLs and malicious IPs, blocking them from the firewall and quarantining emails in less than a minute, reducing what took two to three hours for L1 analysts to less than a minute.

Splunk SOAR is deployed on the cloud as well as Splunk Enterprise. I rate this product a nine out of ten overall.

The most valuable feature I find in Splunk SOAR is the ease of creating playbooks.

Splunk SOAR helps reduce my mean time to detect significantly and enhances it very well. It reduces the mean time to detect by approximately 70%. It has also helped me reduce my mean time to resolve by the same value.

The visibility of Splunk SOAR's playbook viewer is rather unclear to me; I wonder what the visibility is for.

There are indeed some problems with integrating Splunk SOAR with other Splunk products or other vendors in my system, and it took a while after implementing Splunk SOAR to train my SOC team on how to use the playbooks.

Splunk SOAR does not help me reduce my security event volume; in fact, it makes them massive.

Splunk SOAR does not help me free up resources to work on other projects; they are not good in this regard.

I have not seen time to value with Splunk SOAR; I am curious about what time to value means.

I believe Splunk SOAR can be improved by adding more integrations and out-of-the-box integrations, and by increasing the number of admins that can access the solution simultaneously. I see the need to inject more AI in creating the playbooks.

I think they can inject more threat intelligence into the solution.

I have been dealing with Splunk SOAR for around two years.

My experience with the technical support by Splunk has been quite positive; I would rate them at 80%.

Positive

Before implementing Splunk SOAR, my team did not use a commercial or open-source solution to help guide our SecOps teams; they were using XSOAR from Palo Alto and FortiSOAR from Fortinet.

I did not switch to Splunk SOAR; I am still using both solutions.

My experience with the implementation and configuration of Splunk SOAR is that it is seamless and not complex. I can find complexity in something such as XSOAR from Palo Alto.

If you are talking about the implementation duration for Splunk SOAR with about six playbooks, it can take around 30 man-days.

I would assess Splunk SOAR's ability to integrate with other systems and applications as very relevant in my environment.

I view Splunk as a platform; I can definitely consider Splunk as a platform. It is not only a SIEM or a SOAR; it is a complete platform. They are increasing the modules integrated with it, so I can give them a rating between 80 to 90%.

My experience with the pricing of Splunk has been that in the past, they were very expensive, but now they can compete with even FortiSOAR or FortiSIEM. The difference in pricing is very good right now.

I would usually recommend Splunk SOAR for customers who do not have the knowledge or the maturity level required for acquiring a native SOAR.

If companies are new to SOAR technology, they can use Splunk SOAR, but if they are at a very good maturity level, they can use something such as Palo Alto. I would rate this review at 7 out of 10.

Splunk SOAR has been in use for almost seven or eight years.

Splunk SOAR is very good at doing correlation. They handle the triage and correlation aspects very efficiently compared to other SOAR solutions in the market. Because the base of Splunk is data-driven, Splunk SOAR is the first solution which created the foundation based on the database and data-driven triage and identification. That is something we liked a lot.

Splunk SOAR definitely helps because there are many connectors available which we can integrate with different devices, whether it's network devices, firewalls, servers, or access points. All of those we can integrate and we can give a single pane of glass view of the health check on all the security devices running in the environment.

Splunk SOAR is very good and very efficient. The UI is very good, and that way we don't have to struggle with a lot of pages. Everything is on the dashboard and every detail is just a click away. That way it saves a lot of time. If you look at other SOAR solutions, their UI is quite complex, and you have to navigate a couple of pages to get into the bottom of the problem or the issues. That way I think it's very handy and convenient in Splunk SOAR.

It saves time in many aspects and is very efficient in many aspects. Because you get to know the issues very quickly via a dashboard, then you will have a quick option to allocate this to the engineering team or the concerned department to work on that issue and resolve it. Then you also have an option to collaborate on the same SOAR platform with a cross-functional team to understand the issue in detail. After that, there is an option for the root cause analysis and creating the report and sharing it with management. All of these things are available on Splunk SOAR which makes it very user-friendly.

Splunk SOAR can use generative AI more extensively in terms of creating the reports which can be presented to the top leadership. There are other couple of items they can do. I don't have an immediate suggestion. I think a brainstorming session on each of the aspects of the product would be beneficial. There is an additional possibility to infuse generative AI in terms of creating reports and improvising some of the more functionalities.

Technical support can be improvised more. That is one area where I feel the team is sometimes struggling. Response time is also good, but the quality I would say can be improvised.

The initial setup is not very simple. This is one aspect which is not very simple initially. It requires a lot of work in the beginning but it's still not so bad. It's very competitive compared to other SOAR solutions.

This solution is very much scalable, so I would rate it a ten.

Microsoft Sentinel is the competitor I would say. If you see in a lot of cases where Microsoft is the cloud, they are able to succeed with their Sentinel. However, if I have to make a personal choice, I would go with Splunk SOAR because the expertise is quite good.

We have done the automation, and many security incident tickets that get created can automatically route to the available engineer and the entire process is automated. That's one area which we see. Then there are certain thresholds that we have set up. We can set up the policy that if there is a certain threshold for a particular element to escalate the thing, that can be created in a time-bound manner. If you want to revise your policy and revisit at a certain point of time, you can do that also. You can automate that piece of work as well.

The pricing is quite high. Splunk SOAR is high priced, but their product is also a market leader, so that way it is good.

In most of the cases, we do it via the expert consult agency. We outsource it most of the time. There are a few elements where we own the responsibility, but the majority of the elements will be taken care of by the expert outside resources. I would rate the overall experience somewhere between eight to nine.

Everything is cloud-based now. I have been using Splunk SOAR for 16 years. My overall rating for this product is nine.