Splunk SOAR Reviews

One of the main use cases I worked with Splunk SOAR was for a bank, specifically HSBC Hong Kong, a central bank.

A success story where Splunk SOAR saved my team significant time was during implementation at the bank. Previously, the information of incidents was managed manually, often leading to human errors, but with Splunk SOAR's AI and ML capabilities, they no longer needed to spend excessive time consolidating reports.

I have experience with Splunk SOAR and am familiar with it as with similar products such as Splunk On-Call.

The automated patch management feature is what I appreciate most about Splunk SOAR compared to Devo, which includes vulnerability response capabilities, triggers, and the AI-assisted playbook for handling various vulnerabilities.

Splunk's Unified Platform helps consolidate networking, security, and IT observability tools. When integrating Splunk SOAR with the NOC or operations centers of customers, deep integrations can be achieved, for example, with Cisco Security Cloud and AI and machine learning capabilities, which enhance playbooks and incident analysis.

Splunk SOAR saves time in threat response, and the time to solve an incident is currently the best in the market.

My impressions of Splunk SOAR's ability to predict, identify, and solve incidents in real time depend on the customers. If customers have their playbooks or knowledge bases properly implemented beforehand, the real-time capabilities become effective, but often they do not, which creates challenges.

There are areas where Splunk SOAR can continue to improve, particularly regarding the synchronization of information, as sometimes it takes longer than other tools. While they offer fantastic regional support, such as Spanish technical support, there is still room for improvement.

I would rate Splunk SOAR support an eight out of ten because escalating a ticket to a higher level can take more time, indicating a need for a larger support team.

They have bottlenecks in their support system.

I have dealt with Splunk SOAR for about three years.

We purchased Splunk SOAR with a partner, Metabase Q, which is a main partner of Splunk, and they maintain a strong relationship with executives at both companies.

My experience with the pricing of Splunk SOAR is that it is expensive; however, it is the best, so if you want the best, you need to invest accordingly.

I rate Splunk SOAR a nine out of ten because it is really user-friendly, the time to value is great, and it is not complex compared to other solutions IBM, where you often need highly skilled engineers for implementation, while Splunk SOAR provides much functionality out of the box.

I gave this solution a rating of nine out of ten.

We have it interconnected with Enterprise Security. We use what's called Mission Control. There are two products for Splunk SOAR: Mission Control and Phantom. We're using Mission Control to forward automated alerts to our SOC analysts.

Being able to integrate with Enterprise Security is a big plus. I can assign admins or analysts roles to manage Mission Control or Splunk SOAR, which is very beneficial. The solution has been effective because we were able to filter out non-important alerts and focus on the important ones. Using playbooks has shortened the mean time to remediate.

It would be nice if we could put it on other search heads, not just Enterprise Security. We have an ad hoc search head, and compatibility with that would be beneficial. More training classes from Splunk University would also be good.

We have been using the solution for about a year now.

There were minor issues with modifying the playbooks and integrating new alerts. The system hasn't stopped working or failed, so it's performing well.

I haven't experienced any scalability issues yet.

The customer service is good and pretty intuitive.

I have personally used LogRhythm's product, though I cannot recall its specific name.

The initial setup was fairly easy.

We implemented using Splunk's version.

We have seen positive ROI using various techniques, including risk-based alerting and enabling or disabling false positive alerts.

The solution is free for us, which is a beneficial aspect.

We did consider alternate solutions.

Splunk SOAR has been integrated into Enterprise Security 8.1, making it easier to configure. This feature was released about a month ago. The benefits were immediate when we started using Mission Control Splunk SOAR over a year ago. It has made it easier for our analysts to work on alerts using playbooks and forward them. The implementation took approximately four weeks, with about 30% improvement in efficiency and 20% in overall performance. The solution offers more capabilities and better integrations with Enterprise Security. I would rate this solution a nine out of ten.

I use the solution for incident response and automation.

The product helps with workflow reduction. The manual efforts required have been reduced. It contributes to optimization. The extent of workflow reduction varies depending on the instance. Manual intervention is required for critical processes. If it is not critical, we can automate it.

The product provides 100% automation for certain processes. It needs no manual intervention. We can integrate various tools like VirusTotal and ServiceNow. We can automate all the tasks. It is one of the best things about the tool. It also provides workforce protection.

Whenever we get any alerts or make any configurations, we develop workflow automation using the playbooks. We can fully automate some of the security incident resolutions. We can also do identification and redirection using the product.

I have integrated Splunk Phantom with Splunk Cloud. Previously, I used it with Splunk on-premise to get the logs into Splunk for tracking and audit purposes. Since Splunk is a SaaS-based product, it has certain maintenance windows. Over time, the vendor does some maintenance during off-production hours.

Creating playbooks using the solution’s playbook editor is not tough. For someone who knows the solution, I rate the ease of creating playbooks as four out of five. The solution’s playbook viewer provides full visibility. The product provides different integrations. We can easily integrate the tool with VirusTotal, ServiceNow, and the asset and identity management system.

The product is somewhat easier to use in an investigation. We have been able to identify the false positives using the product. The tool has helped reduce false positives by 30%. Splunk SOAR has helped reduce our mean time to detect by 10% to 15%. Splunk SOAR has a major impact on our meantime to resolve. Our mean time to resolve has been reduced by 35% to 40%.

I have integrated VirusTotal with Splunk SOAR. Instead of doing manual checks, I can easily get the score by integrating the tool with Splunk SOAR. I have also synced Active Directory with the asset and identity management system.

It's been a long time since we have implemented Splunk SOAR. It brings value to our organization. Before Splunk SOAR, everything was done using manual intervention. We had to educate the SOC team on how to do tasks. We also had to create playbooks for them. With Splunk SOAR, we only have to educate the team about how things are done so that they can perform a manual intervention when there is a failure, which is rare.

After deploying the product, we had to provide some training to the SOC team. After getting trained, it was hands-on. Along with other Splunk solutions, Splunk SOAR provides the resilience to face any issues and hardships. We easily cope with downtimes.

Splunk SOAR offers us end-to-end visibility across our environment. It depends on how much we utilize it. Visualizing and troubleshooting our cloud-native environment using Splunk SOAR is somewhat easy. I have to coordinate with the Phantom administrators if there is any issue. I work mostly on playbook development and integrating it with security instances.

The solution must provide more AIOps to improve predictability.

I have been using Splunk SOAR for three to four years.

The tool is stable because it is completely SaaS-based.

The SOC and engineering teams use the solution. The engineering team uses it to automate tasks. We have around 30 to 40 users. We were not using the tool completely initially. Once we started using it, we scaled it. We have also increased the number of product licenses. Our clients are enterprise-level businesses.

I've been using Splunk products for a long time. Overall, I am pretty satisfied with the quality of service of the support team.

Positive

Splunk SOAR is SaaS-based. The deployment takes a few months to stabilize. We have a Splunk team that manages the deployment. Two to three people are involved in the deployment.

Everything good comes with a price. The tool is not cheap. However, if we use it to its full potential, it will be beneficial.

Overall, I rate the product an eight out of ten.

I use Splunk to detect threats and conduct threat analysis. The solution monitors, models, and analyzes all security events in our cloud environment's production areas and mitigates threats.

Before we used Splunk SOAR, we didn't know how much traffic was coming in or what security threats were happening on our servers. We could not monitor the entire production environment. Splunk enables us to perform monitoring, threat hunting, threat analysis, and reporting on the risks and impact on our business. 

Splunk improves our business resilience because it's a powerful tool that can monitor our servers and improve our web business by reducing security threats.  Before Splunk, security threats heavily impacted our production environments. 

In the past, we had to monitor all our servers manually, but now that we have implemented SOAR in our production environment, we no longer need to monitor everything 24/7. It sends alerts to our emails, saving us time that we can spend on other tasks. It reduces our monitoring time by about 50 percent. Splunk speeds up our response time by 20 percent. 

Splunk can integrate and manage multiple solutions simultaneously. It has reduced our alert volume and improved our security. We can show our clients that we're monitoring all the production environments and mitigating events as they happen. It has improved our security posture and reduced the risk.

Splunk has many features that make work easier, and it's simple to implement in a large production environment. Splunk collects a massive amount of data from cloud servers and handles it perfectly. 

It manages the whole thread of data security logs and visualizes the data, making it easier to view everything. Splunk gives you end-to-end visibility of your on-prem environment, enabling you to troubleshoot issues easily. 

Splunk integrates easily with the AWS cloud and also other clouds like GCP and Azure. It quickly and efficiently captures all the logs from the cloud just like it was capturing logs from your on-premises environment.

The dashboard could be improved and some other features. SOAR should integrate network capabilities, allowing us to also monitor the WLAN network. Splunk is also expensive and difficult for beginners to learn. It's hard for a new user to figure out how to visualize old threat data. It took two to three months to learn with hands-on experience how to use the dashboard, visualize events, and analyze threats. 

I used Splunk SOAR for about a year at the company I just left. 

I rate Splunk SOAR eight out of 10 for stability. 

I rate Splunk SOAR nine out of 10 for scalability.

I rate Splunk support eight out of 10.

Positive

I previously worked with Wazoo, and Splunk is a much better SOAR solution. 

Splunk SOAR is deployed on the cloud. The initial deployment wasn't complex, but implementing it on our production servers was a bit difficult because we had to deploy agents to more than 60 servers. It requires a little maintenance, such as upgrades and changing the dashboard. Installing it to a new production server takes a day to reconfigure. 

Once Splunk is fully deployed, we can realize the full benefit. Implementing the solution across all our servers took a week.

I rate Splunk SOAR two out of 10 for affordability. Splunk is a fast enterprise tool, but it costs too much. At the same time, it's worth what we pay, in my opinion. We can efficiently perform all the functions and tie together the data. It's the perfect tool for our needs. 

I rate Splunk SOAR eight out of 10. I recommend Splunk if the company can afford it. It's suitable for a large organization that requires security monitoring. It's the best tool for threat hunting and analysis. 

I use Splunk SOAR to create automation for our SOC team. These automations integrate with third-party applications, which is a key requirement for our SOC.

Splunk makes creating playbooks simple with its GUI. We can build playbooks by dragging and dropping different elements, eliminating the need for complex coding.

The visibility of the playbook viewer is good. We can add custom code while developing the playbook if required.

Splunk SOAR provides end-to-end visibility into our environment.

Troubleshooting our cloud-native environment with Splunk SOAR is a breeze thanks to its intuitive graphical interface. Unlike traditional tools requiring command lines, Splunk SOAR lets us manage integrations and cloud access entirely within the user-friendly GUI, streamlining the process.

Splunk SOAR has significantly reduced our manual workload by automating many previously time-consuming processes. We only began to see the full benefits after about five months.

Splunk simplifies security investigations by offering pre-built processes and leveraging the rich functionality embedded within Phantom's alerts. This combination provides a powerful toolkit for investigators.

Splunk SOAR has significantly improved our security alert resolution efficiency. While the specific time saved depends on the individual case, we've seen a general reduction in resolution time from around 20 minutes to five minutes thanks to the variety of use cases it supports.

Splunk has reduced our mean time to detection by 15 minutes.

Our mean time to resolution is now down to five minutes.

Splunk SOAR streamlined our security operations by consolidating multiple tools. We've successfully integrated and replaced approximately 15 individual applications into a more unified environment.

The most valuable features are the third-party integrations and the playbook development that can be done using Python.

Splunk SOAR's extensive library of pre-built integrations allows it to connect with a vast array of popular security and IT applications, streamlining workflows across our existing security stack. This includes tools like Salesforce, Microsoft Outlook, and abuseIP, empowering our organization's SOC and security teams to leverage these familiar applications within SOAR's automation and orchestration capabilities.

Playbooks offer significant room for improvement, as custom code is often required during development. Various aspects of the playbook development process itself can be optimized.

I have been using Splunk SOAR for one and a half years.

Splunk SOAR is extremely stable.

Splunk SOAR is scalable to our needs.

The technical support is good.

Positive

I would rate Splunk SOAR five out of ten.

Early on, we encountered some issues automating tasks with playbooks. However, a recent Splunk version upgrade resolved those problems.

We have 50 users spread across different regions.

The resilience of Splunk SOAR is great.

A thorough evaluation of the SOAR landscape is recommended to identify the best fit for your needs. If Splunk aligns with your requirements after this assessment, it can be a strong option.

Splunk SOAR, formerly Splunk Phantom, is a powerful automation platform with a high security focus, but it is also usable for any other general tasks such as putting a server off the network, restarting services, performing health checks, performing data enrichment by collecting information from different sources and combining, analyzing, and providing precise information about several topics. It has a variety of options, and what can stop you is just your creativity.

Splunk SOAR has a user-friendly interface that simplifies playbook creation. While some initial training is helpful, the drag-and-drop functionality and pre-built code generation features make it accessible even for those without extensive coding experience. This ease of use allows teams to quickly automate incident response tasks, reducing the business impact.

Splunk SOAR helps us improve our data collection and automate operational tasks. While it enriches data, some actions require approval or additional information. For application outages, immediate action is crucial to avoid business impact, and time to respond is key to be able to identify the root cause of issues. For example, if a database server goes down, if the analyst doesn't check the issue right after it occurs, they may end up losing precious logs, which would help them identify the issue and avoid reoccurrence. Additionally, manual database tasks like service restarts or log checks are time-consuming. Splunk SOAR automates these tasks, enriching our log collection, running health checks, and generating reports for the database team. This allows for faster issue identification and resolution, ultimately contributing to high system availability and minimal customer impact.

It provides a comprehensive solution for our environment's health. Splunk offers two key products: Splunk as an observability tool that detects critical issues, and Splunk SOAR, an automation platform that enriches data and even automates remediation actions.

SOAR offers easy integration with various tools. We can leverage pre-built apps for common integrations or create custom ones. While Splunk integrations are automatic, SOAR's API allows us to send data from any observability tool using the SOAR API. This API offers different options to manage the platform, and one of the options is to create a container in SOAR, which can trigger the appropriate playbook based on a label name, simplifying integration with new tools and accelerating proof-of-concept deployments.

Implementing a SOAR platform significantly improved our IT operations. Previously, frequent application downtime overwhelmed our busy operations team, forcing them to prioritize and leave some issues unresolved. SOAR automation relieved this pressure by allowing us to create playbooks that automatically detect and fix recurring problems. While the initial setup required developing playbooks and standards, the resulting reduction in alerts and faster issue resolution freed up the operations team's time and had a major positive impact on our overall IT environment.

Our mean time to detect is within seconds. Before SOAR, manually detecting and resolving server issues was slow and unreliable. It could take hours for an overloaded team to identify a problem, and even longer to fix it, potentially impacting customers. SOAR automates this process, triggering immediate responses that take seconds, minimizing downtime, and ensuring a smooth customer experience.

Our mean time to resolution is improved. SOAR helps resolve issues quickly by automating tasks through playbooks. When an issue is detected, SOAR can run a playbook to fix it or provide more information to analysts, expediting resolution.

SOAR has significantly improved our efficiency by automating manual tasks. This frees our IT staff to focus on resolving issues faster and tackling more complex projects.

SOAR allows custom code to be written and integrates with various technologies through pre-built apps like Windows Remote Management or custom apps we can build ourselves like a secret retrieval app from our vault. Playbooks, built with drag-and-drop and custom functions, provide further flexibility for developers to tailor the solution to their specific needs.

While there have been improvements to the investigation process, particularly with the playbook data, the current log review method is cumbersome. Scrolling through massive, unsearchable logs is inefficient. Ideally, the system would offer search functionality or even AI-powered analysis to pinpoint issues quickly, saving time spent sifting through text.

SOAR's development efficiency can be enhanced by incorporating AI to assist in writing custom code, eliminating the need to start from scratch. This AI-powered approach would significantly reduce the time required to develop playbooks.

I have been using Splunk SOAR for over five years.

SOAR is stable. In the last three years, we only had it go down twice, which was related to a server issue.  

SOAR is designed to grow with our needs by allowing us to add more hardware to handle increased workloads. This makes it a good fit since scalability was a major factor in our evaluation. On top of that, SOAR's customizable platform ensures it can be tailored to our specific requirements.

During playbook development, we encountered technical issues with the playbook feature itself, requiring vendor assistance. Their expertise was invaluable. Not only did they resolve the immediate problems, but they also proactively suggested improvements to our SOAR platform coding for better speed and overall performance.

Positive

Having experience with various automation tools, including Microsoft Orchestrator, Ansible, Rundek, I find SOAR to be the most user-friendly. In fact, after exploring most market offerings, Splunk SOAR stands out for its comprehensive feature set, surpassing any other platforms we've previously used.

The deployment required one member from our team and one from the SOAR team.

Implementing Splunk SOAR was made significantly easier with the support and expertise of the vendor's team. Their deep knowledge of the platform and extensive deployment experience proved invaluable, allowing for a smoother and more efficient implementation process overall.

While the exact pricing for Splunk SOAR is not known to me, I've heard from some colleagues that it may be on the more expensive side compared to other automation tools. However, the general consensus seems to be that the investment in Splunk SOAR pays off once you start utilizing its capabilities and automating your workflows. By automating tasks and freeing up resources, Splunk SOAR can provide a strong return on investment in the long run, despite the potentially higher upfront cost.

I have evaluated different automation platforms, such as Microsoft Orchestrator, Ansible and Rundeck.

I would rate Splunk SOAR nine out of ten. I am deducting one point because it is tedious to go through the logs manually.

SOAR allows for cloud and on-premise deployment, and I favor the on-premise option for enhanced security. Since some automation has extensive access to our internal systems, any internet communication during operation raises the potential for breaches.

The primary use case is for our Security Operation Center. We use it for automation and responding to some of our cybersecurity alerts. It is being used for performance enrichment and automation on those events.

We do not use Splunk SOAR to predict things or try to predict things that can happen in the future. We are mainly using it to respond to things. It is more for responding to events that have happened.

We implemented Splunk SOAR because we had a lot of repetitive tasks that our analysts do. In our area, it was hard, and it still is hard, to find cybersecurity graduates and analysts, so any time that we can save for our analysts can be better spent.

There has been a lot of time-saving which equals to dollars-savings for the company. We have a lot of automation of repetitive tasks and things like that. We do not have to do things manually, so it saves a lot of time for our analysts. It is hard to measure the time savings because we are always developing or trying to develop new things. We are not that far along. We have been using it for three years but we have used it in production for maybe a year and a half. There is a big learning curve, so I am still learning. 

Our cloud endeavors are still in their infancy phase. We have not even started to look at that part yet. For our on-prem environment, there is definitely an advantage. There are a lot of features and capabilities not only from a security perspective. We have real-time alerting based on the system downtime and certain logs that are collected and things like that. I am sure we can apply it to the cloud infrastructure in the future as well.

We have definitely saved a lot of time with the things that we have automated. We have probably saved the amount of one analyst in a year.

In terms of Splunk SOAR's impact on our organization’s business resilience, it is on the way to getting there. This year and next year, we will definitely set that stage. We have some initiatives that are just starting that would definitely put us into that area. We have not crossed that bridge yet.

Splunk's unified platform has helped consolidate networking, security, and IT observability tools. A simple example is the ability to use SOAR integrations and API integrations in all the different tool sets that we have. Our analysts can use those tools from Splunk instead of having to log in to each one of those tool sets to do things. It is saving a lot of time as well for our analysts.

Surprisingly, the mobile app is valuable because it is very convenient for our on-call analysts to respond and get alerted to security alerts and events wherever they are. We are able to harness the power of Splunk SOAR and everything that we are doing, and we are also able to alert our on-call analysts 24/7. From their mobile phone, they can respond to those alerts. They do not necessarily have to have a laptop with them. That is one of the most convenient features or parts of Splunk SOAR that we use. This type of integration with the mobile app is not very common.

Unfortunately, not all of our analysts are iPhone users or iOS users. The mobile app is only supported on iOS. Our analysts who have Android do not have that benefit. That would be a nice thing to have so that we can have it across the board and not just for iOS.

I have been using Splunk SOAR for three years.

It is very stable. It is pretty rare that it goes down. It crashed just once last week.

This is an aspect that we have not yet explored. We have a single instance on-prem.

From my experience, Splunk support has always been top-notch. I would rate them a nine out of ten. One point that is missing is because of the bad experience that we had while starting out with Phantom. It was hard for the support to assist us. There were definitely some breakdowns in communication that resulted in delays.

Before SOAR, it was called Phantom. It was the same thing, and then they changed the name of it. We did not use any other solution previously.

It was a pretty rocky start. That was when it was Phantom, and there were a lot of problems. I had a lot of problems with Phantom. A lot of that was why we had hesitation with renewing Splunk SOAR. A lot of the problems were related to bad code and poor instructions and guidance. Some of it was things that we may not have done right, but a lot of it was related to code. It definitely got off to a rocky start. It was not as smooth as we anticipated the whole thing to be. 

Our environment is on-prem. We have some things in AWS, but I am not privy to the cloud aspect.

We deployed Phantom ourselves.

We renewed it this year. This year was the first time there was a dramatic increase in the price. It was kind of non-negotiable. It was just a high increase. We had internal communications, and it was definitely a surprise to us. In a short time frame, we renewed it this year. Prices are going up everywhere, but they are not always justifiable, at least not to our eyes. The pricing this year was definitely a big shock.

Instead of a gradual increase from time to time, it was just a big sticker shock increase. The price is never going to decrease again. I am not saying it was justifiable or not, but the message that was relayed to us and the unwillingness to negotiate at least to a more reasonable number were surprising.

The only one that we pursued was a product called Siemplify which has been bought out by Google since then. Our primary reason for going with Splunk SOAR was that we were already a Splunk customer. It made sense to wrap Splunk SOAR into that as well. We use Splunk ES. With Siemplify, the integration piece was lacking just because it was not a Splunk product.

I would rate Splunk SOAR a ten out of ten, especially as compared to other options out there, such as XSOAR and Siemplify. A lot of my decision is based on the fact that we were already a Splunk customer, so the integration was beneficial.

I primarily use the solution for incident investigations. 

We can make custom playbooks and use the Playbook Editor to do so. The Playbook is my favorite feature, it's quite useful. There are a lot of automation capabilities.

Its visibility is good. It's end-to-end. We can see incidents across our environment. We've been satisfied with the level of visibility so far. 

The automation helps save us time. We've saved a lot of time researching incidents. If we do resolutions manually, it can take up to 15 minutes. With Splunk's automation and Playbook, we can resolve issues within two to three minutes. 

We have Splunk integrated with other tools and systems. Some are using, for example, Carbon Black EDR. It's very flexible. It works with various third-party tools. Which we use depends on the customer. 

The solution provides good business resilience. It helps with real-time detection and resolutions. With automation, our real-time alerting is quite good. 

Splunk integrates with many products. It provides us with good information for us to be able to do our jobs.

We have been able to reduce the use of other tools. When we use Splunk, we tend to just focus on Splunk's findings, only. We do a lot of investigations using Splunk. It makes the process easier. 

We've noticed a reduction in security event volume. It's helped us to reduce a lot. We've been able to reduce the mean time to detect by 30% to 40%. It's also helped us reduce the mean time to resolve by almost 50% to 60%. We have a lot of customers and a lot of alerts typically, so we've always had a lot to deal with. 

I haven't had any issues with the solution so far. 

I've used the solution for three months.

The solution is really scalable. We are using it across multiple customers and handle multiple alerts. 

We are able to connect with support if we have issues. 

Positive

Right now, we also have IBM. However, mostly, we use Splunk. Our customers prefer Splunk over IBM thanks to the playbooks on offer. The appearance of Splunk is also better. Splunk has a strong reputation in the space. It makes investigations easier.

The deployment process is straightforward. Our deployment team will deploy it for customers. It will take two to three days, depending on our customer's servers. 

We can train employees on how to use Playbooks within two months. 

We help our clients deploy Splunk. 

The cost is as expected. It can be a bit high, however, we get a better rate between us and our third party. We provide services to clients if they purchase Splunk SOAR which gives them good value. 

I'd rate the solution nine out of ten.