Splunk Phantom alternatives and competitors

We were looking for a single pane of glass type of solution that would allow us to physically be in one appliance be able to work in concert with other servers that we have within our environment. We wanted orchestration and automation. The single pane of glass was the most important part. 

Every investigator has a different way of tackling an investigation. Essentially what we wanted to do is to take the mundane tasks that the investigators have to do as part of their investigation process and then automate those mundane tasks as a pre-processor. That way, when the investigation is provided to the investigator in order to review what was found, all they have to do is look at the data that was presented to them and they wouldn't have to go through the process of doing the data enrichment with regards to threats and functions of that nature because all of that was done ahead of time as part of the processing.

Right now we've started with one investigation, which is phishing. The user will report any phishing attempts against any of our users within JPL to an email address. Our XSOAR appliance will peek into that mailbox, pull the emails out, and then process those emails that have been reported. As part of the processing, it'll do the data enrichment and once that's done, that's presented to the investigator in order to review the findings. The investigator makes the final verdict. Once the final verdict is rendered, then the other automated task would be the enforcement tasks, which would include any blocking of the sender, blocking of the IP, blocking of the domain, blocking of the URL, and those types of actions.

Palo Alto has gotten the investigators more presence to actually go in the report because being that the platform will email the investigator that it's been assigned to, now the investigators will jump in there and start going through the review process a lot quicker.

When my juniors receive an email, I have trained them to jump on it quickly in order to remediate it quickly. The sooner we get it remediated, the less likely a user that hasn't reported it will click on the link and become a victim.

Palo Alto has reduced the time that it takes to go through the process of investigating a reported abuse. Rather than one individual, which was the process before, that would handle the abuse mailbox, now we have a team of 15 individuals that all share in the remediation of those reported abuse messages.

The process is a lot quicker, nothing seems to slip between the cracks. We've been able to quickly contain phishing campaigns that were launched by external actors against our environment and been able to quickly identify users that have clicked on links and then had them change their passwords in order to reduce the risk of having those accounts used in order to perpetuate additional attacks.

In terms of improvement, it needs to be more modular. It's not. When you're working in layouts and you create specific apps within layouts, there's no portability right now in order to reuse that code across multiple layouts. I can't take a tab and say I want to use this tab on these other layouts. I have to physically go in there and recreate it from scratch, which is maddening.

From an analyst perspective, it's not that hard to use. From a developer, it takes a little while in order to get to understand exactly how one would go about creating a playbook. The automation part is not that hard. It's relatively easy. It's just creating the flowchart.

I have been using this solution for one and a half to two years. 

I have not had an issue with stability yet. 

It is scalable. If I noticed that there wasn't any impact in performance, then I'd simply launch another instance and then cluster them together in order to provide shared resources between the two in a cluster. If a particular integration is misbehaving because there aren't sufficient resources on the one instance that we currently have, then I can detach that instance or that integration from the instance into its own VM. That way it has enough resources on another VM in order to actually run that integration.

There are 15 investigators using this solution. 

In terms of increasing usage, we're looking at bringing in our audit vulnerability and assessment team and having them do their vulnerability assessments from within the platform. I'm going to have to reach out to them to get them to start looking at the vulnerability layout, the incident type, the playbook, and the Nessus connectors in order to be able to have them perform that through XSOAR and then follow up through XSOAR with regards to remediation.

Anytime I have any issues, I'll open up a TAC ticket and then they'll contact a customer support engineer and they'll hand it over to him.

From the aspect of the actual people that work in the technical support area, I would rate them an eight out of ten. I would rate it higher just for the technical aspect. 

We're taking what we have inside of our incident management system and building it into XSOAR. The way case management works now is completely different from the default case management system that is currently in XSOAR.

They wanted to free up the guy that was actually doing all of the work. For some reason, we decided we didn't want it in-house. As far as our in-house solution, it was built on CodeFusion and CodeFusion had a number of vulnerabilities that were identified in the last 15 years. They wanted to move away from that. In order to be able to move away from that, we had to find a solution that would allow us the customizability in order to be able to mimic what we already have.

The initial setup was straightforward. I had assistance with the pre-sales support engineer and the pre-sale support architect. Both helped me to get it set up. As far as our proof of concept, I had to prove that it was customizable enough in order to have it mimic what we already use because we already had a homegrown internal incident management system that we've been using for 15 years.

The initial setup took 90 days. As far as the proof of concept and to set up the first playbook, we ran into some issues where Palo Alto said that the EWS integration worked with on-prem and that we could actually do expungements in an automated fashion. It turned out not to be the case. That took approximately four and a half months to determine that it was not going to function the way it was stated that it would function within the EWS integration. I was hoping to have it done within six months, but it actually took a little over a year to get everything done and into production because of the couple of hiccups that we had with EWS.

I had to reach out to Microsoft and talk to their developers with regards to EWS on-prem and then contact the developers inside of Palo Alto which at first didn't want to talk to me, but I finally got them to talk to me, and then I got them to talk to each other and then came to find out that it doesn't really work.

That took four and a half months of trying to negotiate the communications between Microsoft and Palo Alto. Finally, I had to bypass the expungement enforcement action because there's no way we could do it with our on-prem devices. As far as that's concerned, that's a manual process. We have to send an email out to our Exchange team in order to get the expungement done.

We have seen ROI in the time spent on the investigations.

The pricing model could be better. When I first looked at Demisto, it had a price tag of $250,000 but when we finally purchased it, it was $345,000.

My boss thinks that it was a competitive price though compared to other solutions. My thoughts are we could have done a lot better with the price.

We evaluated Phantom, Siemplify, SOC 3D,  Swimlane, and a plethora of other solutions. 

Demisto led the field. At the time I was looking at it, it was Demisto. Palo Alto had not purchased it. When I started this endeavor, it was six years ago when Demisto was its own company, when Phantom was its own company, SOC 3D was still a company out of Israel, Siemplify was still a company out of Israel, but it was actually starting to set up its US operations. There were a number of other ones. Resilient was another one that I was looking at before they were picked up by IBM.

A lot of these didn't have what I needed, which was the ability to customize and the ability to integrate with a lot of vendors that we already have in-house. The two that came to the very top were Phantom and Demisto, and my final decision was to actually go with Demisto because Phantom was acquired by Splunk and I hate Splunk.

I was ready to buy, but my management was dragging its feet and they didn't want to loosen up the purse strings in order to make the purchase. But as soon as Palo Alto picked them up, then they were okay with it.

I would rate Palo Alto a nine out of ten. 

My advice would be to do the same type of research I did to ensure that it's the appropriate fit for your use case. If it's an organization that has an already existing incident management system, make sure that you can customize it so you can reduce the learning curve for your investigators in order to be able to transition from your old IMS over to the new IMS, which would be XSOAR.

That's the reason why I took so much time in order to ensure that the customization was there in order to allow me to mimic what we already had in IMS and transition that over to XSOAR. That way, the investigators had a lot less of a learning curve. The only learning curve they had was, "Here's the investigation tab. There's all the data that you need in order to make your verdict. Make your verdict." But as far as writing all the reports, call-down lists, and all that other stuff, that's all part of our original process that I transitioned over to XSOAR.

We primarily use the solution for SIEM alerts triage automation and MITRE detection playbooks. We have hundreds of alerts from various detection tools fed into our SIEM. Correlation within the SIEM is difficult for us since our SIEM only supports simple filtering and one level of data sources correlation. Managing and updating correlation rules is a pain. We are now propagating alerts fed into the SIEM directly to LogicHub via a webhook. Within the LogicHub, we have playbooks that automatically enrich the alerts, baseline checking the alerts, risk weighing and scoring the alerts, and then stack ranking the riskiest and impactful ones to be escalated into a case so our analyst can be the human in the loop before we fire off any automated response. 

We no longer need to spend time on false positives. It has improved my detection coverage in areas lacking by the SIEM. A very nice case management system to track and automate tasks. With some of the playbooks automated, our analysts are now spending their time defining newer playbooks either for triage or detection. With the MITRE-based playbooks, we can just import and tweak the detection on areas where our SIEM vendor lacked rules. Our analysts only look at cases, which are less than a handful each day. Our analysts are not looking at alerts, which are 100+ per day. 

The ability to analyze data automatically to make decisions automatically is what I like the most. 

It is also fully integrated with hundreds of other tools. 

Our SIEM has the search capability but it cannot save the dataset for me to merge with the result set of another query. In LogicHub, to join two resultant datasets is super easy because they use SQL operators that I can do left join, right join, inner join, or full cross join. Besides some reporting tools that I used in the past, no other SOAR can do this easily. We automated that whole analytic logic so I don’t need to repeat. 

UI coloring can be improved. The UI resembles an IBM or HP software tool suite. The UI is not fancy like some of the others, however, it does work. The platform is designed for someone who has a logical mindset. The Logic needs to be planned out like any good design. 

The dashboards can be improved. There are basic table, pie, line, and bar data widgets, yet no geo-mapping widget. However, the dashboard does have the good feature of a funnel chart that I can show volumes of alerts vs cases that our team is handling each day. 

I've used the solution for five years.

The stability is good. We haven’t had any major outage yet - fingers crossed. 

LogicHub says they use Apache Spark as their core. I am familiar with Apache Spark as we also have Databricks implemented by other teams in-house on our big data projects. 

We have a customer success manager assigned to us that I have a biweekly meeting with. 

Positive

I used Demisto and Phantom in the past. 

The setup is easy. It’s a cloud-based solution. 

We handled the setup in-house. 

I do not know for sure what our ROI is. The platform is doing the work of two or more security analysts. We are paying the cost of about one analyst. 

LogicHub was the most cost-effective among the three other solutions we looked at. 

We had a bake-off between LogicHub, XSOAR, and Splunk. 

LogicHub engineers took the best of Demisto (CSOAR) and Splunk Phantom and added a threat section and hunting automation to their platform. 

We primarily use this solution with our clients for security operations.

The solution has many connectors, which is quite helpful.

It's easy to integrate the product with others.

The product can be automated for network security purposes. The solution offers a great security automation response.

I don't currently see where the solution is lacking features. For us and for our clients it works very well and we're pleased with it.

The stability of the solution is good. It's not buggy or glitchy. It doesn't freeze. We're satisfied with the level of stability provided.

We have a local distributor for Fortinet that we contact when we need assistance with something technical. They're excellent when it comes to helping us. They're responsive and knowledgeable. I'd rate them very highly.

We've used Splunk in the past, however, we haven't used it in about two years.

The initial setup is not complex. It's straightforward. We found it to be quite easy to install.

It takes about one month to install everything. It's pretty quick. It also takes about one week to create a playbook and educate clients on the use of the device.

We help our clients implement this solution within their organizations.

We're a Fortinet partner.

We're security integrators in Thailand, with clients in the banking and retail sectors, among other industries.

I'm not sure if we're using the latest version of the solution or not.

I'd recommend the solution. I've installed many products, and I believe Fortinet to be one of the best of them.

I would rate the solution five out of ten.