Splunk SOAR Reviews

We have around 95 different use cases for Splunk SOAR that help secure our environment. 

The solution has helped us automate and customize some of our servers.

I give an eight out of ten for the ease of creating a playbook. The visibility of the solutions playbook viewer is user-friendly.

We have integrated 15 plus services with Splunk SOAR. Splunk SOAR is easy to use for investigations as long as they have experience with the solution.

Splunk has helped us reduce our security event volume. The solution has also helped us reduce our mean detection time by 80 percent and has helped our security IT staff save time to work on other projects.

Splunk SOAR has as well helped us consolidate tools in our environment. 

Scalability is the best feature of the solution.

The algorithm and machine learning have room for improvement and can be more user-friendly.

The integration with the phone system, price, UI, and performance have room for improvement.

I have been using the solution for one year.

I give the stability a seven out of ten.

I give the scalability an eight out of ten.

I previously used Swimlane which has a better GI than Splunk SOAR.

I give the initial setup an eight out of ten. There is a lot of documentation available online to help with deployment and as long as we know how to configure it, it is straightforward. For basic deployment, we do not require much time.

The implementation was completed in-house.

I give the price a six out of ten. Splunk SOAR is priced higher than most other solutions.

I give the solution a seven out of ten.

I recommend Splunk SOAR for larger organizations.

Basically, we are using it for most of our automation, and not as per the SOAR, although it is a SOAR application. We are not using it just for security purposes. We are using it for various purposes like maintenance. 

We do have our own data center where we have our maintenance on the infrastructure side, and the application has to be brought down. Here it has done exceptionally well. We shut down all our different applications by writing our code in the shell languages, and we upload through GitHub. It means that we can just call that script, and it gets triggered on the particular server, and it shuts down. It's like a workflow.

The workflow has been created in such a way that it helps us. Earlier, when we used to have to manage it manually, when we shut down the application, it used to take a lot of time. Now it is done within 30 minutes. In our environment, we have SAP applications, and SAP has its own commands to shut down the applications, databases, et cetera. So it is just not limited to all those shutdowns and this. We do have various other stuff as well, like upgrades. So we have written the upgrade codes, and now we can upgrade X number of SAP applications and databases as needed.

It has helped us with the SAP kernel upgrade. Recently, due to security fixes, and security bugs, we had to upgrade the various SAP applications. To do it manually, it would have taken around five to six months to complete. However, with this product, we were able to complete it within two months since we just wrote a script, and it got triggered in various systems, and it fixed everything. We were saved from the security perspective as well since it ensured we had less vulnerability for less time. Also, thanks to SOAR, only two people were needed to run all those scripts, and just have to monitor everything. That's less personnel. 

The customizable playbook is the most valuable aspect of the solution. 

With the Splunk vendor itself, the vendor is supporting us in the creation of those playbooks. We have created playbooks in such a way that they are a universal playbook, where we just have to bring in any type of command which needs to be triggered, and it works. If we did things another way, we would have to install our agents to connect the particular application. Here, we don't have to have to do that. It can work in the playbook itself. We just have to give our credentials. The credentials also are in an encrypted format, so we are much more secure.

The solution is stable. 

Technical support is helpful. 

What we have seen is if the workflow gets halted or if we want to halt a workflow, it cannot be resumed. We have to trigger the entire plan from step one. That is a bit annoying. If something is wrong, we can't just resume stuff. We'd like it to be possible to pause things without having to start from square one. 

Reporting could be better. We are getting reports, yet not in the way we want. Whatever fails, for example, we want all those errors, the logs, in an attachment, which can be sent easily over an email just by the click of a button. Right now, we cannot send over an email. We have to pull everything, and we have to download it.

We've been using the solution for the past two years.

The stability is great. I'd rate it eight out of ten. It's not breaking very often, and the playbook makes things easy for us. 

I'd give the level of scalability seven out of ten. There is still room for improvement. We'd like to have more use cases and automation.

Technical support has been good. I work on technical parts of the product and bring in use cases, et cetera. If there are any problems, my colleagues check with the vendor and so far, we have had good support from them. We haven't had many issues. 

We were using IBM BigFix before this, and we used it for various purposes like patching on the Windows server. The same solution was also used for the automation of shutting down the system, upgrades, and many other things. Ultimately, we decommissioned it, and we moved ahead with the Splunk SOAR.

The vendor was the one who deployed the solution. Later on, they just installed it on our site. We gave everything to the vendor, and the vendor supports everything since it is on the cloud. 

We have witnessed an ROI, and it is good. We've gotten good feedback from senior management. 

I don't handle the pricing aspect of the product.

We are both partners and customers of Splunk. 

If you are a company looking into SOAR and if you are a customer of Splunk, then you should definitely use it. And if your product is most probably looking for security or for some alerting purposes, it will help you to automate your many, many use cases. You can build many, many things with Splunk and on the SOAR side and you can automate your end-to-end process. Also, companies should know that a minimal language knowledge of Python is required.

I'd rate the solution eight out of ten overall. Even for people who are not too technical, it's a good product.

We wanted to automate the process of creating playbooks, orchestrating events, customizing integrations, and deploying applications such as Thread Connect and Wireless Total for enrichment and threat hunting. We have tailored these applications to meet our specific needs and redeployed them.

As a programmer, I am glad that Splunk did not position itself as a no-code or low-code platform. The solution allows us to customize playbooks and incorporate custom code, allowing us to drag and drop elements while still writing code to build the integrations we need. This makes Splunk a great solution for a solid platform.

Splunk's support for integration is subpar and has room for improvement. 
Splunk should make more effort to keep up with the latest developments in the external world, so that their applications, integrations, and enrichment apps are up to date. Additionally, the documentation and support should be improved, as the experience, their users have had in the past has been unsatisfactory. We were very disappointed that our queries were left unresolved for six months, as it was a time for response rather than solutions. Additionally, several tickets were lodged with Splunk, yet the issue persisted for half a year.

I would request that SOAR add a feature that allows the extraction of documentation from playbooks. This would enable developers to quickly understand the features and use cases associated with a playbook, so they can modify or interact with it. This would eliminate the need for someone to manually explain each playbook in detail. 

I would suggest making the app customizable and deployable in an easy and straightforward manner. This would save time and effort compared to the current process.

I have been using the solution for four years.

Although not the most stable solution, I would say the overall stability of the updates is satisfactory. I give the stability a seven out of ten.

We had difficulty with scalability, but I would not attribute this to Splunk. It could have been due to our lack of knowledge or lack of support from Splunk. I give the scalability a six out of ten.

Our company utilizes a variety of SOAR tools, including Splunk SOAR, Swimlane, and Palo Alto XSOAR, along with ServiceNow for SecOps. Initially, Splunk SOAR was chosen as the SOAR tool due to its compatibility with the majority of our other tools. Unfortunately, it became apparent that SOAR was difficult to install, service, and price, leading some teams to switch to SwimLane and Palo Alto XSOAR.

The initial setup is not necessarily an easy task, nor is it overly complex, so I would say it's of medium difficulty. Splunk could have provided more documentation and support, considering it is not a free product. It would have been much more helpful if Splunk had provided basic understanding and assistance for those installing the solution.

Deployment took several hours each time to install and upgrade, and we often encountered broken pieces of functionality due to miscoordination or non-sequential startup processes. I remember there were five items that came with Splunk SOAR. Deployment was a difficult process, and we ran into issues every time we had an upgrade.

We used Git version control to deploy our playbooks to SOAR, and then we would pull them back to the production SOAR to bring them into use.

I give the solution a six out of ten because of the scope of building playbooks and automation. Unfortunately, this is accompanied by a downside due to a lack of support, bad applications, inadequate documentation, and a general lack of support.

We have thousands of people using the solution.

I would suggest alternatives to Splunk SOAR due to the cost and poor support. However, if cost and support are satisfactory I would recommend the solution.

Splunk SOAR streamlines the handling of common customer scenarios that arise across diverse situations. Even when specific expertise within our team varies, Splunk SOAR empowers all users with pre-built playbooks, guiding them through the required actions in any circumstance.

Splunk SOAR's UI is user-friendly for managing workflows.

The integration of Splunk SOAR is good.

When we implemented Splunk SOAR we were able to reduce our team of five down to three.

Splunk SOAR's quick response to incidents is the most valuable part.

The cost of Splunk SOAR has room for improvement.

I have been using Splunk SOAR for a couple of years.

Splunk SOAR is stable. We have not heard of any issues from our customers.

Splunk SOAR is scalable.

The cost is high and the licensing is on an annual basis.

I would rate Splunk SOAR an eight out of ten.

We use Splunk SOAR mainly for security.

The most valuable feature of Splunk SOAR is the automated playbooks, which saves analysts time. The results that are returned provide additional context that we would have to look up manually in different tools. Splunk SOAR provides it in one pane of glass.

Splunk SOAR should improve its ease of upgrade, which is a pain point for us right now. Each upgrade to the version requires expertise and time commitment. Then, we usually have to troubleshoot it with support.

I have been using Splunk SOAR for two years.

Except for the upgrade challenges, Splunk SOAR is stable when it's operational.

Splunk SOAR is a scalable solution.

Splunk SOAR's technical support has been responsive. We have to go through tiers to get to the correct person for support.

Positive

Splunk SOAR's initial setup is complex.

The solution's deployment requires Splunk's outsourced professional services, who take care of the complexity for you. The professional services were good, and they knew what needed to be done for the solution's implementation.

Two people were required for the solution's deployment. These two people were responsible for administration, the use cases we needed to develop, our integration with the platforms, and integration with Splunk Enterprise.

We've had some challenges justifying our return on investment because of the development work and the continual efforts to maintain the solution. We haven't seen the return on investment yet, but I'm hopeful it can get us there.

Splunk SOAR is an expensive solution for an organization of our size. I don't like the solution's licensing model.

Before choosing Splunk SOAR, we evaluated other options. Splunk SOAR easily integrated with our Splunk solution, which was our main key. We are already a Splunk customer, which made the contracting easy.

Our organization monitors multiple cloud environments. Monitoring multiple cloud environments using Splunk SOAR is fairly easy when the integrations work. Some apps within Splunk SOAR require you to configure them and ensure they maintain their connection and that they're updated. We've had several issues with third-party ones and those developed by Splunk.

It is important for your organization that Splunk SOAR has end-to-end visibility into your cloud-native environment. We're security-focused, and we want to be able to look at the logs that are in our native applications.

For the use cases we've implemented, Splunk SOAR has helped reduce our mean time to resolve. However, there's been a lot of time to develop that. Overall, I haven't seen that I've saved time yet, but I expect we will in the future. Splunk SOAR can save the analyst up to 30 minutes for a single malware analysis playbook.

Overall, I rate Splunk SOAR a six out of ten.

We use the solution to automate some of our legacy processes. We review items like phishing and emails.

The product’s integration with other Splunk products is valuable. It's easier to collect and enrich all the data to give our incident response teams better access to the information to make their decisions.

Some of the training materials are on a basic level. They don't feel like they're really in-depth. I would like to have more advanced and in-depth training.

My organization has been using the solution for two months.

There have been no issues whatsoever with stability. I wouldn't expect there to be any downtime.

We have a large environment. We have more than 10,000 devices in our organization. It's a complex environment, depending on which areas we're working with. We have different types of regulations.

The team we're working with right now is extremely helpful, and it's easy to coordinate with them and get them involved. They're very welcoming and open to helping us. They are going out of their way to set up meetings to answer questions and help us with the process.

Positive

There's a lot of overlap of concepts between our current SOAR solution and Splunk SOAR. The dashboard's functionality in Splunk SOAR has great value compared to our current platform. It was not easy to make dashboards or reports at a high level in our current solution. It was a bit tedious and difficult. It’s a lot easier to facilitate with Splunk SOAR. Splunk SOAR integrates nicely with all the other Splunk products. We can enrich the data.

We are still going through the initial deployment of the product. The deployment is easy since it is a SaaS solution. There's not much for us to configure right out of the box.

One of the biggest factors that helped the management to decide to switch to Splunk SOAR was its cost. The solution's cost model, Mission Control, and other features make it cost-effective.

We are fairly new to the solution. We are still adjusting Splunk SOAR. As I use the platform more, it'll become more intuitive. My core focus is on the SOAR platform. We're still beginning to get the tool fully customized for us. We are going through the basics to get all the way to fully leveraging the tool. We are still considering how to go from our current setup and expand it.

Our organization monitors multiple cloud environments with Splunk SOAR. It is important for our organization that the product has end-to-end visibility into our cloud-native environment. It allows us to have better incident response. Having visibility on where the attacks or different issues are coming from allows us to better respond to them.

The workshops are the biggest value I get from attending Splunk conferences. I'm getting a lot of real-world examples from different companies. It helps with networking and meeting other individuals who are going through the same type of process or are already leveraging Splunk SOAR. I can get feedback on how they're leveraging the platform. It gives us a lot of insight into things we should consider as we start to set up and build environments.

Overall, I rate the product a ten out of ten.

We are primarily using it to automate tasks for our incident response team. They use it to block suspicious traffic from our network detection system and for alerts from our endpoint security system. Those are the two major use cases we're using it for right now.

It has definitely saved a decent amount of time for our analysts so they can focus on other tasks. This gives us more value for man hours.

It has definitely improved our business resilience. It's given us greater visibility into the environment we have and the ability to collect all of the threat and log data and put it into one central place.

The ability to connect it to external apps is the most valuable feature. We've also gotten a lot of use from writing custom apps for some of our authentication systems for password scramble.

Splunk's ability to predict, identify, and problem-solve in real time is really good.

Splunk's ability to provide business resilience by empowering staff is fairly high. It detects issues as they come up and responds to them.

We have seen time to value. I did help configure it, but we do have the cloud solution, so it was mostly in place.

It has definitely helped to reduce our meantime to resolve. Having it there to automatically take action as events come in and not needing the analysts to have to go out and have a look is how it saved time.

We've run into a few minor issues. Some of the playbook writing is a bit complicated. We've had a few hiccups with the source control. We'd really like to use GitHub deployment keys for a dedicated account. We haven't been able to do that. I think those are some of the major ones. 

There is a general learning curve as far as playbook writing goes. 

I have been using SOAR for four to five months.

Stability is good. We've had a few hiccups with apps, but never a major outage. I would rate it an eight out of ten.  

I haven't really grown it very wide yet, but I could easily foresee us doing that.

I've opened a few tickets for different issues with apps, and they have always been responded to fairly quickly. I'd give support a ten out of ten. 

Positive

I did help configure it but we have a cloud solution, so it was mostly in place.

The development was fairly straightforward. There were some issues setting up the single sign-on, but we were able to get help from Splunk to get all that straightened out. The roles in user accounts and onboarding were all fairly straightforward. App configuration is also something that's pretty streamlined and intuitive.

We did it all in-house.

We have seen ROI in its ability to streamline and automate mundane tasks that we would run into on a daily basis. It freed up DevOps people from having to maintain custom tools that were previously used to complete similar tasks.

I would rate Splunk SOAR a nine out of ten. 

My primary use case is for SOC automation but it's used for a lot more than that. Some of the use cases are more or less appropriate for it. It's capable of doing a lot of things.

We use the SOAR platform to ingest alerts and escalations that we get. They do the actual enrichment processing and triaging but we don't use it for detection. We potentially could, but it's not what the product is meant for.

The visual playbook editor updates that they released have been absolutely instrumental because the old editor was impossible to look at for most of the time. It made my eyes bleed. I still have to look at it from time to time. 

Splunk does provide substantial value. 

It definitely does reduce our mean time to resolution through the enrichment details that it provides. Inputting your facts and details of the things you do not want to see with the events coming into it and easily filtering down off of that is one of the main value drivers outside of phish removal.

The most valuable feature is the API connector, depending on how it's formatted and who made the actual app offering for it. The REST API is my favorite component. It's very easy to use. The filters are also really valuable. Those are the two primary features but I enjoy using the rest of it. 

SOAR is probably the most unreliable product Splunk has and that's because most of it is content driven from what you put into it. There are certain parts of it that have a little bit of difficulty at volume too. It's always changing. There is new stuff coming out for it that's going to make it a little bit better, but it does have some drawbacks.

It's specifically geared for SOC and not broader automation. The artifact filtering that's forced on everything inside the platform is pretty awful. It's for a subset of active playbooks which, out of the two hundred that we own, I think three or four of them are active, but we have to play with that setting for each one of them. 

Every block should also have that option specifically because if you're not doing the artifact filtering on the front end, it's not good. 

We've had lots of processes that have been victim to filtering not working appropriately at scale. It's hard to actually track down and trace because we can't reproduce the issues that we see in our testing environment or in production. That was two minor versions ago. It might have changed, it might not have, but we don't have a lot of trust in that feature.

UI elements like interacting with our analysts are near impossible. Finding stuff on the actual dashboard is really impossible most of the time. One example is that the timeline takes up three-quarters of the screen, but not a single person uses it because you have to individually set the container, the artifacts, and the actions to a specific attribute field that's really difficult to correlate to the actual events you put into it. The artifacts are really weird too because they're not traditional forensic artifacts. You shouldn't be able to change the value of an actual artifact. It was in that capacity but we also use it for that purpose in the platform. 

My company was one of Splunk's first five customers. I have been using it for the last three years.

I've only crashed SOAR a few times and it was my fault. If you have a production environment that's been running for a month or two and you have a few thousand events in it, if you mess up your query when you're trying to ask it a question and you do page size zero, it will just give you things on it, and it will crash it. That's a fun thing, but you shouldn't do that in general. That was a mistake on my part. Generally, it is very stable and available as most of the issues are usually the fault of the vendors that it's talking to, but that's with any platform.

Scalability is interesting. Some of the assets do choke each other out. There is a cyclical lock thing that we had to fix on our inside. We have a CrowdStrike app, and we give it a file and ask it to do something and it goes great. It tells us that the default wait time is fifteen minutes, and there's only one of me. But there are five processes competing for that, and you get a giant backlog. We had to make our own custom app to get it later. 

We have about fifty users on SOAR and a few hundred playbooks. Our environment is fairly large in terms of standard customers.

I didn't do the initial integration, it was many years ago but we do deployments with the platforms team because we have the experience. 

We have it down to a pretty good science right now because platform science does a really good job of automating the steps that go into setting up the server and whatnot. One good thing about the SOAR connectors that we have in the apps is the ability to save states and for apps just to self-heal. That has been really helpful because things go down from time to time and we don't have to worry about it because there's a second or third process that's going to pick it up.

I have heard they are changing pricing, not possibly for the better. In comparison to the other vendors we looked at, they're all in the same ballpark of what they should be billing on. SOAR makes the most sense out of all of them, in terms of the billing factors.

We are looking at other platforms currently to compare areas. Splunk's editors are exceptionally better to look at. Visually, it's easier to find things and configure them. 

There is more capability out-of-the-box for doing typical data transformation that you don't have to write too much code for, which is really nice. The code blocks have annotations in them. So when you actually open and look at what you worked on, four or five months later, you have your notes right there in the same place where it runs, which is really handy. 

It's also just built for broader automation and it's all more HTTP, actions-based. Instead of having to build a connector, then put that on GitHub and install that in your platform, you can define an endpoint with credentials and you can do the same thing with SOAR. It's encouraged to do it with the actions and assets, which can be beneficial depending on what the product is. 

If we do continue using SOAR, I think we're going to default to using more HTTP actions and stop using too many assets because it's a bit of a burden to create one, especially if out-of-the-box the actual configuration doesn't do what we need it to. 

One example of this that we have is the request tracker app that we use for all of our tickets. When you ask it for the ticket information, it will return the metadata on it, nothing inside the actual ticket. That's a fork we have to create. It didn't actually do the basic product functionality that the vendor should be providing. 

We also find that the vendors don't always keep the SOAR connectors updated. Sometimes they'll update the associated API, and then their connector will stop working because they're on different versions, and then we have to force our own fix on that. They usually make a SOAR connector just to say that they have one, but they won't put too much effort or thought into it.

I'd probably rate the functionality an eight or a nine out of ten. I would give the UI a four out of ten. I would rate general Splunk SOAR a seven out of ten.