Splunk SOAR Reviews

I am the CTO of a startup. We evaluated this product.

Our major requirement was to open APIs to our product. I felt that the open-source product that I evaluated was better in terms of open APIs to integrate into the existing product because Splunk SOAR is an enterprise product and not an open-source one. However, after evaluating the go-to-market time and how soon we can implement things, the customer preferred Splunk SOAR because it could be easily integrated. Over time, they may choose to have the capabilities inside the in-house product instead of using Splunk SOAR, but at this point, they are using Splunk SOAR.

We have our own product. We were developing our in-house engine based on user analytics and behaviors, but because of funding issues, we stopped working on that. During that time, I started looking at Splunk SOAR to compare its features, and that is how I was able to recommend it to the customer. I told them that instead of creating these capabilities in the in-house product, they could start using Splunk SOAR. In the future, we will be able to import the workflow from Splunk SOAR into the product. We would need a standardized backend to be able to import the workflows. At this point, it is not available, but in the future, just like JSON or XML, it should happen. There should be portability. I am not sure if it is in their roadmap. It is their loss in one aspect, but it is a gain in another aspect because they can claim that workflows are portable across platforms.

A major use case for my customer was dealing with DDoS attacks. The customer is in the BFSI industry. The major issue for them was people trying to get access to customer accounts by logging in or generating OTPs from different locations. They wanted to limit access to OTPs and logins from particular geographies because 95% of their customer base is from an Asia-Pacific country. They were able to do that and solve that issue. They were also able to reduce the cost of customer care because when a customer gets a message about an OTP for a withdrawal, they tend to call customer care. Instead of generating an OTP, they created a workflow to avoid generating an OTP when it is requested from other geographies. They developed a workflow to make a call to the customer and confirm if they have requested the OTP for money withdrawal. In our geography, rules are becoming stricter and stricter, and banks are held responsible for such cases. The customer was able to meet the requirements of the government. They were also able to save money and reduce operational costs. They could save 75% of operational costs.

I have used the solution's playbooks and the visual playbook editor to help automate tasks. I am a technical person, so it is easy for me to use the playbooks and visual playbook editor. I also write playbooks at the code level.

Spunk SOAR has saved us time in alert triage.

Spunk SOAR has saved time in threat response. They were able to stop 75% of the cases of sending OTPs to the wrong people.

Spunk SOAR's automation helped reduce tedious manual tasks. Based on the input that I got for the first two quarters, there was somewhere about a 75% reduction.

Workflow management is most valuable. It is easily customizable. 

Portability is one thing that is currently lacking. The open-source product that I evaluated had portability. It would require a lot of development effort, but it will save the cost of rewriting all the playbooks.

Its stability is pretty good. UI is more responsive than other tools for writing playbooks and other things.

When I evaluated, there were just one or two users. They have been using it only for two quarters. I will know its scalability better after a year or so.

It is SaaS-based. Being a BFSI business, most of their core applications are on-premises, but the applications that we have evaluated stay on AWS.

It is much quicker to onboard compared to the open-source tools I have used. We were able to onboard initial applications in a day. It is very fast.

I helped the customer to onboard it. There was also help available from the Splunk team. 

I evaluated Splunk SOAR and a few other SOAR solutions. I evaluated an open-source solution and the IBM solution. I preferred Splunk SOAR because of its log processing and the way it allows you to customize workflows. I felt it was better than any other competitor in the market because it is a next-generation SOAR tool.

I would rate Splunk SOAR a nine out of ten because there is no portability.

We primarily use the solution for security automation. It's used to investigate and remediate threats.

Normally, we would have to manually investigate events. However, with Splunk, everything is automatically investigated. 

The playbooks are great. They are very useful. We can define rules, including what the remediation should be. Everything gets clearly defined. You can set up different types of automation. It helps increase efficiency and productivity.

The solution provides us with end-to-end visibility.

It's easy to visualize and troubleshoot our cloud-native environment using Splunk. There's simple product management and quick detection and response that helps minimize risks. I can handle continuous monitoring from an operation control center. 

We can integrate with other systems. It's helped minimize incident tickets and my overall response time has been lowered. We began to realize benefits within three to four months of deployment. 

Splunk is very easy to use during an investigation. It's very straightforward. 

We've been able to reduce our security event volume by 50%. We've also been able to reduce our mean time to detect by about 25%. It's helped us save time and consolidate tools in our environment so that we can minimize staff appropriately. The automation makes all of this possible.

The number of playbooks on offer should be increased. 

I have been using the solution for two years.

The solution has consistently been stable. 

We have about 300 people using the solution. It's scalable. We may increase usage in the future. We want to get the enterprise license. 

Technical support has been good. 

Positive

We did not previously use a different solution. 

It was easy to implement the solution. It took our team about four months to be trained on how to use the playbooks. 

We had two people managing the deployment process. One handled configuration, and the other handled integration. 

No maintenance is required for the product once implemented. 

We handled the implementation in-house. 

I'm not aware of the exact pricing. 

We did not evaluate other options. 

It's a valuable solution. It enables SIEM capabilities. We're able to orchestrate when events are happening, and this minimizes event tickets. We are able to handle security challenges while gaining good visibility.

I'd rate the solution nine out of ten. 

We use the solution to automate some of our legacy processes. We review items like phishing and emails.

The product’s integration with other Splunk products is valuable. It's easier to collect and enrich all the data to give our incident response teams better access to the information to make their decisions.

Some of the training materials are on a basic level. They don't feel like they're really in-depth. I would like to have more advanced and in-depth training.

My organization has been using the solution for two months.

There have been no issues whatsoever with stability. I wouldn't expect there to be any downtime.

We have a large environment. We have more than 10,000 devices in our organization. It's a complex environment, depending on which areas we're working with. We have different types of regulations.

The team we're working with right now is extremely helpful, and it's easy to coordinate with them and get them involved. They're very welcoming and open to helping us. They are going out of their way to set up meetings to answer questions and help us with the process.

Positive

There's a lot of overlap of concepts between our current SOAR solution and Splunk SOAR. The dashboard's functionality in Splunk SOAR has great value compared to our current platform. It was not easy to make dashboards or reports at a high level in our current solution. It was a bit tedious and difficult. It’s a lot easier to facilitate with Splunk SOAR. Splunk SOAR integrates nicely with all the other Splunk products. We can enrich the data.

We are still going through the initial deployment of the product. The deployment is easy since it is a SaaS solution. There's not much for us to configure right out of the box.

One of the biggest factors that helped the management to decide to switch to Splunk SOAR was its cost. The solution's cost model, Mission Control, and other features make it cost-effective.

We are fairly new to the solution. We are still adjusting Splunk SOAR. As I use the platform more, it'll become more intuitive. My core focus is on the SOAR platform. We're still beginning to get the tool fully customized for us. We are going through the basics to get all the way to fully leveraging the tool. We are still considering how to go from our current setup and expand it.

Our organization monitors multiple cloud environments with Splunk SOAR. It is important for our organization that the product has end-to-end visibility into our cloud-native environment. It allows us to have better incident response. Having visibility on where the attacks or different issues are coming from allows us to better respond to them.

The workshops are the biggest value I get from attending Splunk conferences. I'm getting a lot of real-world examples from different companies. It helps with networking and meeting other individuals who are going through the same type of process or are already leveraging Splunk SOAR. I can get feedback on how they're leveraging the platform. It gives us a lot of insight into things we should consider as we start to set up and build environments.

Overall, I rate the product a ten out of ten.

We are primarily using it to automate tasks for our incident response team. They use it to block suspicious traffic from our network detection system and for alerts from our endpoint security system. Those are the two major use cases we're using it for right now.

It has definitely saved a decent amount of time for our analysts so they can focus on other tasks. This gives us more value for man hours.

It has definitely improved our business resilience. It's given us greater visibility into the environment we have and the ability to collect all of the threat and log data and put it into one central place.

The ability to connect it to external apps is the most valuable feature. We've also gotten a lot of use from writing custom apps for some of our authentication systems for password scramble.

Splunk's ability to predict, identify, and problem-solve in real time is really good.

Splunk's ability to provide business resilience by empowering staff is fairly high. It detects issues as they come up and responds to them.

We have seen time to value. I did help configure it, but we do have the cloud solution, so it was mostly in place.

It has definitely helped to reduce our meantime to resolve. Having it there to automatically take action as events come in and not needing the analysts to have to go out and have a look is how it saved time.

We've run into a few minor issues. Some of the playbook writing is a bit complicated. We've had a few hiccups with the source control. We'd really like to use GitHub deployment keys for a dedicated account. We haven't been able to do that. I think those are some of the major ones. 

There is a general learning curve as far as playbook writing goes. 

I have been using SOAR for four to five months.

Stability is good. We've had a few hiccups with apps, but never a major outage. I would rate it an eight out of ten.  

I haven't really grown it very wide yet, but I could easily foresee us doing that.

I've opened a few tickets for different issues with apps, and they have always been responded to fairly quickly. I'd give support a ten out of ten. 

Positive

I did help configure it but we have a cloud solution, so it was mostly in place.

The development was fairly straightforward. There were some issues setting up the single sign-on, but we were able to get help from Splunk to get all that straightened out. The roles in user accounts and onboarding were all fairly straightforward. App configuration is also something that's pretty streamlined and intuitive.

We did it all in-house.

We have seen ROI in its ability to streamline and automate mundane tasks that we would run into on a daily basis. It freed up DevOps people from having to maintain custom tools that were previously used to complete similar tasks.

I would rate Splunk SOAR a nine out of ten. 

As part of the cybersecurity incident response team, we were responsible for handling phishing emails related to business-as-usual operations. It was a manual process that would include five to six checks to determine the category of the email, its legitimacy, if it was malicious, and if it was an impersonation or a phishing email. We also worked on a use case for our infrastructure's proxy solutions. End users would request that certain websites be unblocked, as they had been blocked by the proxy's default policy or categorically blocked by the proxy. For this, we evaluated publicly available information about the website and the justification provided by the users, to determine whether the website should be whitelisted or made accessible.

Then, we implemented the automation process to simplify such tedious processes. In addition, we had a manual process in place for our threat hunting and threat intelligence platform, where we monitored leaked data on the dark web. This was documented as a use case. Our account management team also conducted weekly checks on the status of accounts. The process also made the team check if they were logged in on their accounts and if the account was disabled, which were manual processes that were later integrated into Splunk SOAR.

As a security analyst in the SOC center, I have seen the impact of implementing Splunk SOAR on our phishing email analysis process. Before its use, analyzing each email would take at least 15 to 20 minutes, with some complex cases taking up to 30 minutes. Of all the emails received, 30% were complex, 50% were average, and 20% were straightforward and would only take five to ten minutes to analyze. With the automation provided by Splunk SOAR, we can significantly reduce the amount of time and human effort required to complete this task. Instead of two analysts taking two to three hours to analyze 20 to 30 emails, one analyst can now complete the same task within one to two hours.

The most advantageous feature of Splunk SOAR is its ease of writing search queries, which can be attributed to Splunk's powerful analytics tool running in the background, offering a smooth user experience.

Improvements are needed in automation options as customization is limited, which may make complex use cases challenging despite the solution being able to meet basic requirements.

Currently, the tool only allows categorization into two categories, malicious and non-malicious, which has been identified as a limitation by security analysts in various group brainstorming sessions. The ability to create custom categories for emails can benefit security analysts.

I was associated with this solution for almost three years. In my previous organization, Meredith, we initially deployed Splunk. Before that, we were using the ArcSight SIEM solution. Later on, after moving on to the Splunk environment, Meredith thought of opting for an automation process. So, we onboarded Splunk SOAR, but the user Splunk was managed by a third-party company.

Stability-wise, it is good. It doesn't have any downtime issues. If you consider Splunk SOAR as an independent solution to be deployed at work, then that would not be easy. The challenge is that Splunk SOAR cannot work without the Splunk SIEM solution. But if you have Splunk as your base, then Splunk Phantom works well. So the issues with Splunk Phantom are very minimal. I would rate it an eight on a scale of one to 10, where one is considered the worst and 10 is the best.

In terms of scalability, I believe Splunk SOAR is decent. I haven't encountered any stability issues, even with a large infrastructure of over 10,000 end-user devices and high log inflows. I would rate its scalability as an eight or nine out of ten, where one is the worst and ten is the best. It works well in both large and small work environments.

The technical support for the Splunk SIEM solution was average. Splunk is still working on improving its customer support, as they do not directly support SOAR, which is a separate entity. Other vendors, on the other hand, support various environments. I believe that Splunk can improve its customer support services.

Neutral

I previously used Demisto, a security automation tool, in one of my previous organizations, Dell Technologies. The ease of writing custom queries and making granular modifications were the key reasons why we used it. In my next organization, I used Splunk SOAR because we already had Splunk in our environment. Currently, I am working in a bank that does not have a Splunk environment, so I am using a different automation tool.

The deployment warranted collecting information on the external and internal parameters of our network system. A network engineer along with a team of four to five people from Hurricane Labs was involved in the deployment of the Splunk SIEM solution for the company. The deployment of the Splunk SIEM solution took approximately six to nine months. During the first three months, the team familiarized themselves with the environment and started the transition from an off-site setup. Over the next six to nine months, the team worked to mature the solution and address any issues with logs not being collected properly and displayed on the Splunk screen.

Splunk SIEM was deployed by a third-party vendor. The vendor was responsible for the end-to-end deployment and was the main point of contact for the project. However, I am not familiar with the specific details of the deployment and therefore cannot accurately explain how the deployment of the solution was done.

In terms of pricing, I would rate it a six or seven out of 10, where one is the highest and 10 is the lowest. It’s on the expensive side, and I'm not sure if a lot of the small-sized organizations will be able to afford it. A medium enterprise environment will be able to afford it. We had to pay for the cost of the licenses for the services we received.

If you use Splunk as your SIEM solution, you can consider Splunk SOAR as your automation tool. However, automation tools such as AutomationEdge or Demisto may provide better value if you have other SIEM solutions.

I rate this solution a seven out of ten.

My primary use case is for SOC automation but it's used for a lot more than that. Some of the use cases are more or less appropriate for it. It's capable of doing a lot of things.

We use the SOAR platform to ingest alerts and escalations that we get. They do the actual enrichment processing and triaging but we don't use it for detection. We potentially could, but it's not what the product is meant for.

The visual playbook editor updates that they released have been absolutely instrumental because the old editor was impossible to look at for most of the time. It made my eyes bleed. I still have to look at it from time to time. 

Splunk does provide substantial value. 

It definitely does reduce our mean time to resolution through the enrichment details that it provides. Inputting your facts and details of the things you do not want to see with the events coming into it and easily filtering down off of that is one of the main value drivers outside of phish removal.

The most valuable feature is the API connector, depending on how it's formatted and who made the actual app offering for it. The REST API is my favorite component. It's very easy to use. The filters are also really valuable. Those are the two primary features but I enjoy using the rest of it. 

SOAR is probably the most unreliable product Splunk has and that's because most of it is content driven from what you put into it. There are certain parts of it that have a little bit of difficulty at volume too. It's always changing. There is new stuff coming out for it that's going to make it a little bit better, but it does have some drawbacks.

It's specifically geared for SOC and not broader automation. The artifact filtering that's forced on everything inside the platform is pretty awful. It's for a subset of active playbooks which, out of the two hundred that we own, I think three or four of them are active, but we have to play with that setting for each one of them. 

Every block should also have that option specifically because if you're not doing the artifact filtering on the front end, it's not good. 

We've had lots of processes that have been victim to filtering not working appropriately at scale. It's hard to actually track down and trace because we can't reproduce the issues that we see in our testing environment or in production. That was two minor versions ago. It might have changed, it might not have, but we don't have a lot of trust in that feature.

UI elements like interacting with our analysts are near impossible. Finding stuff on the actual dashboard is really impossible most of the time. One example is that the timeline takes up three-quarters of the screen, but not a single person uses it because you have to individually set the container, the artifacts, and the actions to a specific attribute field that's really difficult to correlate to the actual events you put into it. The artifacts are really weird too because they're not traditional forensic artifacts. You shouldn't be able to change the value of an actual artifact. It was in that capacity but we also use it for that purpose in the platform. 

My company was one of Splunk's first five customers. I have been using it for the last three years.

I've only crashed SOAR a few times and it was my fault. If you have a production environment that's been running for a month or two and you have a few thousand events in it, if you mess up your query when you're trying to ask it a question and you do page size zero, it will just give you things on it, and it will crash it. That's a fun thing, but you shouldn't do that in general. That was a mistake on my part. Generally, it is very stable and available as most of the issues are usually the fault of the vendors that it's talking to, but that's with any platform.

Scalability is interesting. Some of the assets do choke each other out. There is a cyclical lock thing that we had to fix on our inside. We have a CrowdStrike app, and we give it a file and ask it to do something and it goes great. It tells us that the default wait time is fifteen minutes, and there's only one of me. But there are five processes competing for that, and you get a giant backlog. We had to make our own custom app to get it later. 

We have about fifty users on SOAR and a few hundred playbooks. Our environment is fairly large in terms of standard customers.

I didn't do the initial integration, it was many years ago but we do deployments with the platforms team because we have the experience. 

We have it down to a pretty good science right now because platform science does a really good job of automating the steps that go into setting up the server and whatnot. One good thing about the SOAR connectors that we have in the apps is the ability to save states and for apps just to self-heal. That has been really helpful because things go down from time to time and we don't have to worry about it because there's a second or third process that's going to pick it up.

I have heard they are changing pricing, not possibly for the better. In comparison to the other vendors we looked at, they're all in the same ballpark of what they should be billing on. SOAR makes the most sense out of all of them, in terms of the billing factors.

We are looking at other platforms currently to compare areas. Splunk's editors are exceptionally better to look at. Visually, it's easier to find things and configure them. 

There is more capability out-of-the-box for doing typical data transformation that you don't have to write too much code for, which is really nice. The code blocks have annotations in them. So when you actually open and look at what you worked on, four or five months later, you have your notes right there in the same place where it runs, which is really handy. 

It's also just built for broader automation and it's all more HTTP, actions-based. Instead of having to build a connector, then put that on GitHub and install that in your platform, you can define an endpoint with credentials and you can do the same thing with SOAR. It's encouraged to do it with the actions and assets, which can be beneficial depending on what the product is. 

If we do continue using SOAR, I think we're going to default to using more HTTP actions and stop using too many assets because it's a bit of a burden to create one, especially if out-of-the-box the actual configuration doesn't do what we need it to. 

One example of this that we have is the request tracker app that we use for all of our tickets. When you ask it for the ticket information, it will return the metadata on it, nothing inside the actual ticket. That's a fork we have to create. It didn't actually do the basic product functionality that the vendor should be providing. 

We also find that the vendors don't always keep the SOAR connectors updated. Sometimes they'll update the associated API, and then their connector will stop working because they're on different versions, and then we have to force our own fix on that. They usually make a SOAR connector just to say that they have one, but they won't put too much effort or thought into it.

I'd probably rate the functionality an eight or a nine out of ten. I would give the UI a four out of ten. I would rate general Splunk SOAR a seven out of ten. 

We have around 95 different use cases for Splunk SOAR that help secure our environment. 

The solution has helped us automate and customize some of our servers.

I give an eight out of ten for the ease of creating a playbook. The visibility of the solutions playbook viewer is user-friendly.

We have integrated 15 plus services with Splunk SOAR. Splunk SOAR is easy to use for investigations as long as they have experience with the solution.

Splunk has helped us reduce our security event volume. The solution has also helped us reduce our mean detection time by 80 percent and has helped our security IT staff save time to work on other projects.

Splunk SOAR has as well helped us consolidate tools in our environment. 

Scalability is the best feature of the solution.

The algorithm and machine learning have room for improvement and can be more user-friendly.

The integration with the phone system, price, UI, and performance have room for improvement.

I have been using the solution for one year.

I give the stability a seven out of ten.

I give the scalability an eight out of ten.

I previously used Swimlane which has a better GI than Splunk SOAR.

I give the initial setup an eight out of ten. There is a lot of documentation available online to help with deployment and as long as we know how to configure it, it is straightforward. For basic deployment, we do not require much time.

The implementation was completed in-house.

I give the price a six out of ten. Splunk SOAR is priced higher than most other solutions.

I give the solution a seven out of ten.

I recommend Splunk SOAR for larger organizations.

We wanted to automate the process of creating playbooks, orchestrating events, customizing integrations, and deploying applications such as Thread Connect and Wireless Total for enrichment and threat hunting. We have tailored these applications to meet our specific needs and redeployed them.

As a programmer, I am glad that Splunk did not position itself as a no-code or low-code platform. The solution allows us to customize playbooks and incorporate custom code, allowing us to drag and drop elements while still writing code to build the integrations we need. This makes Splunk a great solution for a solid platform.

Splunk's support for integration is subpar and has room for improvement. 
Splunk should make more effort to keep up with the latest developments in the external world, so that their applications, integrations, and enrichment apps are up to date. Additionally, the documentation and support should be improved, as the experience, their users have had in the past has been unsatisfactory. We were very disappointed that our queries were left unresolved for six months, as it was a time for response rather than solutions. Additionally, several tickets were lodged with Splunk, yet the issue persisted for half a year.

I would request that SOAR add a feature that allows the extraction of documentation from playbooks. This would enable developers to quickly understand the features and use cases associated with a playbook, so they can modify or interact with it. This would eliminate the need for someone to manually explain each playbook in detail. 

I would suggest making the app customizable and deployable in an easy and straightforward manner. This would save time and effort compared to the current process.

I have been using the solution for four years.

Although not the most stable solution, I would say the overall stability of the updates is satisfactory. I give the stability a seven out of ten.

We had difficulty with scalability, but I would not attribute this to Splunk. It could have been due to our lack of knowledge or lack of support from Splunk. I give the scalability a six out of ten.

Our company utilizes a variety of SOAR tools, including Splunk SOAR, Swimlane, and Palo Alto XSOAR, along with ServiceNow for SecOps. Initially, Splunk SOAR was chosen as the SOAR tool due to its compatibility with the majority of our other tools. Unfortunately, it became apparent that SOAR was difficult to install, service, and price, leading some teams to switch to SwimLane and Palo Alto XSOAR.

The initial setup is not necessarily an easy task, nor is it overly complex, so I would say it's of medium difficulty. Splunk could have provided more documentation and support, considering it is not a free product. It would have been much more helpful if Splunk had provided basic understanding and assistance for those installing the solution.

Deployment took several hours each time to install and upgrade, and we often encountered broken pieces of functionality due to miscoordination or non-sequential startup processes. I remember there were five items that came with Splunk SOAR. Deployment was a difficult process, and we ran into issues every time we had an upgrade.

We used Git version control to deploy our playbooks to SOAR, and then we would pull them back to the production SOAR to bring them into use.

I give the solution a six out of ten because of the scope of building playbooks and automation. Unfortunately, this is accompanied by a downside due to a lack of support, bad applications, inadequate documentation, and a general lack of support.

We have thousands of people using the solution.

I would suggest alternatives to Splunk SOAR due to the cost and poor support. However, if cost and support are satisfactory I would recommend the solution.