Splunk SOAR Reviews

I use Splunk SOAR mainly for automating SOC operations and incident response workflow, and I integrate it with Splunk and Splunk ES. I have EDR tools, firewall logs, and Microsoft email, so I use it for email security. I have integrated it with my ticketing management service, ServiceNow, and most of my use cases are related to phishing investigation, brute force attacks, malware alerts, threat activity, suspicious login activity, and vulnerabilities from recently released software. Whenever an alert is triggered from Splunk or ES, Splunk SOAR automatically starts the playbook I have configured and gathers the logs to check against the threshold limit I have defined or enriches data with external services using Splunk SOAR playbooks. I then create incidents or take remediation actions according to the scenario or incident. This reduces the manual work of my SOC team.

In threat response, Splunk SOAR saves time. For example, with email phishing, it does save time, and for other situations like when I receive simultaneous IP hits from DDoS attacks, it will automatically detect that and send a message on Slack that this IP is hitting this machine at this rate based on the second or minute. I just need to confirm whether I want to block it or not. If I send yes, then it would directly block it into my firewall rules so that this IP should be blocked for this minute or something similar. Splunk SOAR is really saving my time. I can identify directly where this IP came from and whether it is from China or any part of the country. I detect or enrich the data using a playbook, and it saves a lot of time for SOC where actual SOC investigation is not needed. It plays a really good role.

In Splunk SOAR, playbooks provide a very key role in automation. I can enrich my IP, domain, and hashes or integrate it with other third-party tools like Slack or ServiceNow. I can send an email to the user or block a particular IP into my current firewalls and automate that using a playbook. The most valuable feature for me is playbook automations. There are pre-built playbooks, and I can build my own custom playbooks that speed up my incident response. Most of the time I am getting phishing mail, and then it is not necessary that I am already blocking that phishing mail since I do get newly phishing mails every day. I have written playbooks that will automatically define a rule at my email security that this phishing email I got is blocked. It is something I like most.

Apart from this, app integration and case management are valuable. The custom functions features that Splunk SOAR provides, such as Python custom functions, are also valuable. Engineers can easily write their rules or define their logic. Splunk SOAR saves time in threat response. As I have given the example about email phishing, it does save time there, and for other situations like when I receive simultaneously IP hitting from DDoS attacks, it will automatically detect that and send a message on Slack that this IP is hitting this machine at this rate based on the second or minute. I just need to confirm whether I want to block it or not. If I send yes, then it would directly block it into my firewall rules so that this IP should be blocked for this minute or something similar. Splunk SOAR is really saving my time. I can identify directly where this IP came from and whether it is from China or any part of the country. I detect or enrich the data using a playbook, and it saves a lot of time for SOC where actual SOC investigation is not needed. It plays a really good role.

I do not think there is anything currently, but as I grow, I can answer better on that. I can just expect some more integration from Splunk. There are vast possibilities to integrate with tools, or I can build my own custom solutions. I will be looking for more supported integrations from Splunk rather than depending on third-party solutions.

I started with a smaller environment and then I scaled up to the state that I am currently in.

In my environment, Splunk SOAR is pretty much stable. I have not faced any major issues. However, I have other services running on the same system that are causing Splunk SOAR issues. I am doing that to separate it out on a different machine.

I was analyzing what tools were available, but I have not found any other tools that were better for me because I was using other Splunk products. It would be great to have a Splunk product, and I went with Splunk SOAR.

As of now I am good with the overall guessing or remediation.

I was analyzing what tools were available, but I have not found any other tools that were better for me because I was using other Splunk products. It would be great to have a Splunk product, and I went with Splunk SOAR.

Deploying Splunk is very straightforward for me because at the time I was implementing it, my environment was small and I was just integrating two or three modules. It was very straightforward for me and the documentation helped me a lot to configure it. I have not faced such a high issue due to the Splunk community, which has a very active community, and I was able to find my answers there.

If it had impacted my system at that time, I would have needed to call my employees to please come online and try to see what is happening, but that was really saved by Splunk SOAR. Calling an employee on leave is not a good option, according to me.

That is managed by someone else in my team, and I will not be a good person to answer that. I was in talk with my team that whatever I am paying for Splunk SOAR and the licensing I have purchased is really in terms of a benefit to me. It is way below what it costs to hire some professionals to do only that type of work. It is very low and I get more control over my systems.

I was analyzing what tools were available, but I have not found any other tools that were better for me because I was using other Splunk products. It would be great to have a Splunk product, and I went with Splunk SOAR.

I rate Splunk SOAR a nine out of ten.

I don't have much hands-on experience with the solution. While I understand its capabilities regarding logging and reporting, I haven't had much direct involvement. The administration is handled by teams within the organization, including our SOC team and the managed security tools team. Our cybersecurity engineers are responsible for managing those aspects.

We receive reports that track user login activity. We get SOAR reports based on this activity, which inform us when someone hasn't logged in for a certain period of time. Our SOC analysts monitor alerts and investigate them. Sometimes, I need to review the information they send me to validate findings and determine whether there is any malicious activity or if it's just natural behavior within our environment.

While my primary role doesn't involve monitoring alerts, I do receive external reports from the system. Occasionally, I need to investigate tickets related to alerts. This involves working with engineers, cloud engineers, or system administrators for the flagged systems.

We aggregate data from sources such as CloudTrail and CloudWatch to provide a comprehensive view of activity across the entire environment. We maintain an enterprise cloud setup where we host our customers. The SOC has visibility into everything happening within the system and monitors external components as well, such as internet-facing elements. This allows them to detect any malicious activity or unauthorized access attempts to the network.

I don't have the metric on the time saved. However, I do see that the SOC team receives a lot of reports. I’m not sure of the exact number, but it’s like hundreds of thousands of alerts every month. A single person couldn't go through them all. Fortunately, the system helps to parse through these alerts and determine which ones are important and need further investigation.

It organizes the alerts in a way that makes it easier for the team to go through them. They wouldn't be able to manage that volume without some organization in place.

It has helped improve our organization’s business resilience. I believe we are currently preparing for a security assessment, and Splunk may be collecting some performance data as part of that. This data might be coming from our performance monitoring system, but I need to confirm. Overall, Splunk provides a wealth of information. Our performance monitoring tools detect high CPU utilization, monitor storage, and identify any abnormal activity in the environment. Additionally, some of our tools have machine learning capabilities, which I find very helpful.

It has some automated features, including alerting and the ability to set up notifications for different entities. This ensures that we are informed of any activity related to user accounts or privileged accounts. It helps identify instances where an account is not being used or when someone has left the organization, making it unnecessary to manually look up accounts. The integration of automation in the SOAR capability enhances this process. The automation reduces the need for manual searches. 

I'm not an expert on Splunk SOAR, but I'm sure our team members know what areas could be improved. I haven't spoken to them specifically about what could be improved or what they would want Splunk SOAR to improve.

We have been using this solution for about five years. 

It's been pretty reliable. I get some alerts as a security lead when there are auditing failures. We get a few of those occasionally, but it's not a common issue.

I haven't interacted with them directly, but the team has said their support is really good.

Positive

I do not have any experience with deploying Splunk SOAR. I know that the solution we’re using is cloud-based and hosted in a SaaS environment. Our team deploys agents and sets up the configurations for reporting. I can’t really speak to how complex the setup process is, but our teams could take advantage of or leverage the service.

I would rate this solution an eight out of ten.

One of the main use cases I worked with Splunk SOAR was for a bank, specifically HSBC Hong Kong, a central bank.

A success story where Splunk SOAR saved my team significant time was during implementation at the bank. Previously, the information of incidents was managed manually, often leading to human errors, but with Splunk SOAR's AI and ML capabilities, they no longer needed to spend excessive time consolidating reports.

I have experience with Splunk SOAR and am familiar with it as with similar products such as Splunk On-Call.

The automated patch management feature is what I appreciate most about Splunk SOAR compared to Devo, which includes vulnerability response capabilities, triggers, and the AI-assisted playbook for handling various vulnerabilities.

Splunk's Unified Platform helps consolidate networking, security, and IT observability tools. When integrating Splunk SOAR with the NOC or operations centers of customers, deep integrations can be achieved, for example, with Cisco Security Cloud and AI and machine learning capabilities, which enhance playbooks and incident analysis.

Splunk SOAR saves time in threat response, and the time to solve an incident is currently the best in the market.

My impressions of Splunk SOAR's ability to predict, identify, and solve incidents in real time depend on the customers. If customers have their playbooks or knowledge bases properly implemented beforehand, the real-time capabilities become effective, but often they do not, which creates challenges.

There are areas where Splunk SOAR can continue to improve, particularly regarding the synchronization of information, as sometimes it takes longer than other tools. While they offer fantastic regional support, such as Spanish technical support, there is still room for improvement.

I would rate Splunk SOAR support an eight out of ten because escalating a ticket to a higher level can take more time, indicating a need for a larger support team.

They have bottlenecks in their support system.

I have dealt with Splunk SOAR for about three years.

We purchased Splunk SOAR with a partner, Metabase Q, which is a main partner of Splunk, and they maintain a strong relationship with executives at both companies.

My experience with the pricing of Splunk SOAR is that it is expensive; however, it is the best, so if you want the best, you need to invest accordingly.

I rate Splunk SOAR a nine out of ten because it is really user-friendly, the time to value is great, and it is not complex compared to other solutions IBM, where you often need highly skilled engineers for implementation, while Splunk SOAR provides much functionality out of the box.

I gave this solution a rating of nine out of ten.

We have it interconnected with Enterprise Security. We use what's called Mission Control. There are two products for Splunk SOAR: Mission Control and Phantom. We're using Mission Control to forward automated alerts to our SOC analysts.

Being able to integrate with Enterprise Security is a big plus. I can assign admins or analysts roles to manage Mission Control or Splunk SOAR, which is very beneficial. The solution has been effective because we were able to filter out non-important alerts and focus on the important ones. Using playbooks has shortened the mean time to remediate.

It would be nice if we could put it on other search heads, not just Enterprise Security. We have an ad hoc search head, and compatibility with that would be beneficial. More training classes from Splunk University would also be good.

We have been using the solution for about a year now.

There were minor issues with modifying the playbooks and integrating new alerts. The system hasn't stopped working or failed, so it's performing well.

I haven't experienced any scalability issues yet.

The customer service is good and pretty intuitive.

I have personally used LogRhythm's product, though I cannot recall its specific name.

The initial setup was fairly easy.

We implemented using Splunk's version.

We have seen positive ROI using various techniques, including risk-based alerting and enabling or disabling false positive alerts.

The solution is free for us, which is a beneficial aspect.

We did consider alternate solutions.

Splunk SOAR has been integrated into Enterprise Security 8.1, making it easier to configure. This feature was released about a month ago. The benefits were immediate when we started using Mission Control Splunk SOAR over a year ago. It has made it easier for our analysts to work on alerts using playbooks and forward them. The implementation took approximately four weeks, with about 30% improvement in efficiency and 20% in overall performance. The solution offers more capabilities and better integrations with Enterprise Security. I would rate this solution a nine out of ten.

My use case for the solution is basically focused on deploying and configuring data related to Splunk, upgrading the Splunk SOAR instances, implementing role-based access controls for different users, and performing system performance tasks, along with resolving logs and connectivity-related issues. 

Additionally, I handle integrations with SIEM tools such as Splunk and EDR, firewalls, and threat platforms.

Implementing Splunk SOAR has significantly benefited our business. It has made a huge impact across security operations and the business overall. The biggest improvement is in speed, consistency, and scalability of responses. With automation of over 60% of repetitive tasks, it has significantly improved efficiency in threat triage and ticketing.

Splunk SOAR has saved us dozens of hours every month by automating tasks, which has reduced the manual workloads significantly for level one and level two analysts.

Splunk SOAR has reduced our Mean Time to Detect by approximately 30% to 40%. The Mean Time To Resolve is approximately reduced by 30% to 40%.

Splunk SOAR absolutely improves our ability to investigate and gain end-to-end visibility and effectively remediate threats across our environments.

Visualizing and troubleshooting our cloud-native environment with Splunk SOAR is fast. It enables informed investigations with centralized timelines and helps with immediate responses by gathering data from all SIEM, EDR, and threat feeds.

Splunk SOAR has saved us time in alert triage. It saves about 20 to 25 minutes per alert by gathering data and checking regulations.

Splunk SOAR has saved us time in threat response, reducing it by approximately 30% to 50%.

Splunk SOAR has helped consolidate multiple tools used in the business, such as security tools and threat intelligence tools, into a singular workflow.

The best feature in Splunk SOAR is the visual Playbook Editor. The drag-and-drop interfaces make visualizations and understanding workflows easy. Moreover, Splunk SOAR supports over 300 integrations with SIEM tools, EDR, firewalls, and threat and cloud platforms. We can also build apps using Python.

Creating playbooks using the Playbook Editor in Splunk SOAR is easy. The editor is designed to be user-friendly with visual drag and drop features, allowing for easy workflows without writing any code. Simple playbooks, such as IP reputation checks and ticket creation, can be built in just a few minutes, while complex playbooks involving loops and API calls are manageable as well.

The visibility of the Playbook Viewer is one of the key strengths for Splunk SOAR. It provides a centralized view of an incident from alert to response within a single container and allows you to have action-level transparency by logging each action in real-time. You can click through each step to check input and output status and logs, along with a timeline view for incidents, which aids in the entire investigation.

Splunk SOAR's ability to integrate with systems and applications in our environment is extensive. It supports a wide range of apps and tools, such as firewalls, ticketing systems including Jira, and cloud platforms like AWS and Azure. It also had easy API-based custom integrations.

There are areas in Splunk SOAR that have room for improvement. To make Splunk SOAR a better solution, there could be better built-in debugging tools, smarter playbook suggestions, and enhanced lifecycle management. Real-time collaboration features, more granular metrics, and improved reporting for dashboards would also be beneficial.

I have been using Splunk SOAR for about 5 to 6 years. I am involved in the Splunk Administration and Splunk Analyst roles.

Considering performance and other factors, I would rate its stability an eight out of ten.

It can be extended and adapted as necessary. I would rate its scalability as an eight out of ten.

In my team, there are 10 to 15 active users working on Splunk SOAR. We are a large organization.

I would rate Splunk's technical support as a nine.

Positive

Before using Splunk SOAR, my team utilized various tools, including networking tools and SIEM tools, to assist our SecOps team in performing investigations.

As compared to other SOAR solutions, Splunk SOAR is the most flexible platform available in the market, especially in terms of integration capabilities and compatible playbooks. It has strong alignment with Splunk Enterprise Security compared to tools like IBM SOAR, which may lack flexibility.

It wasn't very easy. It includes a lot of techniques and methods. It takes a couple of days to deploy.

It didn't take much time to train my SOC team on how to use playbooks after implementing Splunk SOAR. As a SOC team, we routinely deal with incident responses and track day-to-day activities using various tools, including Splunk. Splunk effectively gathers information regarding unauthorized user access, which helps us track and analyze them swiftly.

Splunk SOAR is moderately priced, neither cheap nor overly expensive.

I would absolutely recommend Splunk SOAR to other users, but it also depends on their specific use cases for threat incidents and professional needs.

Overall, I would rate Splunk SOAR an eight out of ten.

We have been using Splunk SOAR for analyzing threats and mitigating issues in cybersecurity. We provide input and SQL queries to Splunk SOAR, which analyzes the data and provides information on whether an IP address is legitimate or if it is a bot.

Splunk SOAR is user-friendly, and the SQL language inputs are intuitive. It provides precise information about what you are searching for.

I have used a couple of other cybersecurity tools in comparison. Splunk SOAR is more user-friendly than those tools and provides more precise and advanced information that we require to analyze whether a case is a true positive or false positive. It improves accuracy significantly.

Sometimes it lags when I am working on multiple things. Apart from that, every feature is useful.

Integration is an area for improvement. I would say it could include some other features that are present in IBM QRadar, which would be really helpful.

I have been using Splunk SOAR for around five years.

Sometimes it lags when I am working on multiple things.

Its scalability is really good.

The customer service is excellent. They are responsive whenever I try to reach them.

Positive

The solution has resulted in money saved.

Splunk SOAR is a very good application and a great tool to start your work with in cybersecurity. It will provide you with deeper investigation capabilities. The SQL language and other features will help you learn more. Compared to IBM QRadar, Splunk SOAR is a really excellent tool. I would rate this product an 8 out of 10.

I use the solution for incident response and automation.

The product helps with workflow reduction. The manual efforts required have been reduced. It contributes to optimization. The extent of workflow reduction varies depending on the instance. Manual intervention is required for critical processes. If it is not critical, we can automate it.

The product provides 100% automation for certain processes. It needs no manual intervention. We can integrate various tools like VirusTotal and ServiceNow. We can automate all the tasks. It is one of the best things about the tool. It also provides workforce protection.

Whenever we get any alerts or make any configurations, we develop workflow automation using the playbooks. We can fully automate some of the security incident resolutions. We can also do identification and redirection using the product.

I have integrated Splunk Phantom with Splunk Cloud. Previously, I used it with Splunk on-premise to get the logs into Splunk for tracking and audit purposes. Since Splunk is a SaaS-based product, it has certain maintenance windows. Over time, the vendor does some maintenance during off-production hours.

Creating playbooks using the solution’s playbook editor is not tough. For someone who knows the solution, I rate the ease of creating playbooks as four out of five. The solution’s playbook viewer provides full visibility. The product provides different integrations. We can easily integrate the tool with VirusTotal, ServiceNow, and the asset and identity management system.

The product is somewhat easier to use in an investigation. We have been able to identify the false positives using the product. The tool has helped reduce false positives by 30%. Splunk SOAR has helped reduce our mean time to detect by 10% to 15%. Splunk SOAR has a major impact on our meantime to resolve. Our mean time to resolve has been reduced by 35% to 40%.

I have integrated VirusTotal with Splunk SOAR. Instead of doing manual checks, I can easily get the score by integrating the tool with Splunk SOAR. I have also synced Active Directory with the asset and identity management system.

It's been a long time since we have implemented Splunk SOAR. It brings value to our organization. Before Splunk SOAR, everything was done using manual intervention. We had to educate the SOC team on how to do tasks. We also had to create playbooks for them. With Splunk SOAR, we only have to educate the team about how things are done so that they can perform a manual intervention when there is a failure, which is rare.

After deploying the product, we had to provide some training to the SOC team. After getting trained, it was hands-on. Along with other Splunk solutions, Splunk SOAR provides the resilience to face any issues and hardships. We easily cope with downtimes.

Splunk SOAR offers us end-to-end visibility across our environment. It depends on how much we utilize it. Visualizing and troubleshooting our cloud-native environment using Splunk SOAR is somewhat easy. I have to coordinate with the Phantom administrators if there is any issue. I work mostly on playbook development and integrating it with security instances.

The solution must provide more AIOps to improve predictability.

I have been using Splunk SOAR for three to four years.

The tool is stable because it is completely SaaS-based.

The SOC and engineering teams use the solution. The engineering team uses it to automate tasks. We have around 30 to 40 users. We were not using the tool completely initially. Once we started using it, we scaled it. We have also increased the number of product licenses. Our clients are enterprise-level businesses.

I've been using Splunk products for a long time. Overall, I am pretty satisfied with the quality of service of the support team.

Positive

Splunk SOAR is SaaS-based. The deployment takes a few months to stabilize. We have a Splunk team that manages the deployment. Two to three people are involved in the deployment.

Everything good comes with a price. The tool is not cheap. However, if we use it to its full potential, it will be beneficial.

Overall, I rate the product an eight out of ten.

I use Splunk to detect threats and conduct threat analysis. The solution monitors, models, and analyzes all security events in our cloud environment's production areas and mitigates threats.

Before we used Splunk SOAR, we didn't know how much traffic was coming in or what security threats were happening on our servers. We could not monitor the entire production environment. Splunk enables us to perform monitoring, threat hunting, threat analysis, and reporting on the risks and impact on our business. 

Splunk improves our business resilience because it's a powerful tool that can monitor our servers and improve our web business by reducing security threats.  Before Splunk, security threats heavily impacted our production environments. 

In the past, we had to monitor all our servers manually, but now that we have implemented SOAR in our production environment, we no longer need to monitor everything 24/7. It sends alerts to our emails, saving us time that we can spend on other tasks. It reduces our monitoring time by about 50 percent. Splunk speeds up our response time by 20 percent. 

Splunk can integrate and manage multiple solutions simultaneously. It has reduced our alert volume and improved our security. We can show our clients that we're monitoring all the production environments and mitigating events as they happen. It has improved our security posture and reduced the risk.

Splunk has many features that make work easier, and it's simple to implement in a large production environment. Splunk collects a massive amount of data from cloud servers and handles it perfectly. 

It manages the whole thread of data security logs and visualizes the data, making it easier to view everything. Splunk gives you end-to-end visibility of your on-prem environment, enabling you to troubleshoot issues easily. 

Splunk integrates easily with the AWS cloud and also other clouds like GCP and Azure. It quickly and efficiently captures all the logs from the cloud just like it was capturing logs from your on-premises environment.

The dashboard could be improved and some other features. SOAR should integrate network capabilities, allowing us to also monitor the WLAN network. Splunk is also expensive and difficult for beginners to learn. It's hard for a new user to figure out how to visualize old threat data. It took two to three months to learn with hands-on experience how to use the dashboard, visualize events, and analyze threats. 

I used Splunk SOAR for about a year at the company I just left. 

I rate Splunk SOAR eight out of 10 for stability. 

I rate Splunk SOAR nine out of 10 for scalability.

I rate Splunk support eight out of 10.

Positive

I previously worked with Wazoo, and Splunk is a much better SOAR solution. 

Splunk SOAR is deployed on the cloud. The initial deployment wasn't complex, but implementing it on our production servers was a bit difficult because we had to deploy agents to more than 60 servers. It requires a little maintenance, such as upgrades and changing the dashboard. Installing it to a new production server takes a day to reconfigure. 

Once Splunk is fully deployed, we can realize the full benefit. Implementing the solution across all our servers took a week.

I rate Splunk SOAR two out of 10 for affordability. Splunk is a fast enterprise tool, but it costs too much. At the same time, it's worth what we pay, in my opinion. We can efficiently perform all the functions and tie together the data. It's the perfect tool for our needs. 

I rate Splunk SOAR eight out of 10. I recommend Splunk if the company can afford it. It's suitable for a large organization that requires security monitoring. It's the best tool for threat hunting and analysis.