Splunk SOAR Reviews

I can state this as a Mastercard employee, but not beyond that. Splunk SOAR is used for standard Security Operation Center use cases. We build automations for the Security Operation Center and our scope extends beyond that as well, but primarily SOC is our stakeholder. The Security Operation Center performs certain tasks manually, and we help them automate or optimize their processes by using Splunk SOAR.

Everything comes down to automation. There are two ways to approach it depending on how you use Splunk SOAR as a tool. First, the Security Operation Center performs certain tasks manually, and we build automations for them on Splunk SOAR so that they don't have to do it manually. Second, Splunk SOAR has the ability to run actions where SOC analysts can execute certain actions within Splunk SOAR itself without going to other platforms.

These are the best examples of how Splunk SOAR helps the SOC. It improves accuracy with no errors in work, which a human can do but a rule-based engine cannot. It also saves time.

I'm a first-time user of any kind of SOAR platform, so I cannot compare it to others. What I appreciate about Splunk SOAR is the custom apps feature, which are basically connectors that we can either develop ourselves or find available on Splunkbase or from the Splunk community. With these apps, we can communicate with external systems by calling APIs. Instead of calling an API directly, there is a packaged version of it called an app, which we can use to interact with that external application. The way they integrate is good.

Splunk SOAR does help consolidate networking, security, and IT observability tools for us. This depends on use case basis, but Splunk SOAR has the ability to connect to observability tools like Splunk ES and networking tools like Palo Alto. Even if Splunk doesn't have a pre-built custom app for any new external application, we have the ability to create those apps and connect with external applications. Splunk SOAR allows us to connect to multiple platforms, whether they are networks, security, or observability.

Splunk SOAR has saved us time in threat response, particularly on the SOC side. For example, if they have analyzed something and determined that certain indicators of compromise or IOCs need to be blocked or contained, our tool helps them do it without going into individual platforms. If we decide that we have to block a malicious domain, for instance, they currently have to go into three or four different platforms like Defender tools at the network level or firewall level. With Splunk SOAR, they don't have to do this. We have that configured in Splunk SOAR and it does the job. There are other use cases as well where it saves threat response time.

I feel Splunk SOAR lacks the IntelliSense feature that code editors like VS Code have. This is the feature where when you type a certain variable name, it automatically pops up suggesting what you might want to type, and when you enter a dot, it gives you all the attributes. When we code in Splunk SOAR, we don't have any assistance. We just have to code, execute it, and then we will only know if there were any errors in the code. In code editors, if you have variables written and you refer to that variable again, it gives you the list of attributes it has. If I have defined a variable name as Splunk and I try to type SPL, it will suggest me that variable name so that I don't have to type everything. I can just hit tab and use that variable. This is not available in Splunk SOAR. I'm not sure if it is available in any other platform, and maybe that's the limitation of having a web-based tool, but I think that's important from a developer's standpoint. I develop every day in Splunk SOAR and I know that this feature would save a lot of time for us if it was added.

Beyond that, I haven't seen much of the SOAR world, and Splunk SOAR is the only tool that I use. The development part that I just explained is the thing I think will help us if that feature is added, but beyond that, I don't think there is much else at this point in time.

I have been using this product for two years, two months, or three months.

Splunk SOAR is stable enough. The platform is stable only if you go with their most recommended minimum technical specifications. Although there are certain minimum specifications that they have outlined, if we go for that, we come across some issues. Otherwise, Splunk SOAR is stable enough. However, it depends on how the platform is set up and it will differ organization to organization.

I think Splunk SOAR is a bit slow to catch up with the AI boom. Everyone is ingesting Copilots or some form of AI in their platforms, and Splunk SOAR doesn't have it yet. It should, but it doesn't.

I have had a very nice experience with Splunk's technical support and customer service teams. They're fast to respond depending on the severity of the ticket or issue. If there's any niche issue, then it takes quite some time to troubleshoot. General issues are resolved on the spot and they also have on-demand services available to assist us.

On a scale of one to ten, where ten is the best, I would rate the technical support at eight at least.

This was the first time Splunk SOAR was implemented in my organization.

From a development standpoint, I needed to have cybersecurity knowledge which I didn't have initially, but beyond that, Splunk SOAR was straightforward to use. It has its own things, but the learning curve is not that high.

I was not involved in the deployment of Splunk SOAR during the initial implementation. It was done about a year before I joined, so I wouldn't know the details.

I would give the advice to make the most use of Splunk SOAR. It is not limited to the Security Operation Center. There are way too many use cases outside SOC which Splunk SOAR can cater to, and it makes life easier. Standard normal automations it can do, and that use case doesn't even need to be related to cybersecurity. If you have bandwidth or resources available on the Splunk SOAR side, you should think of other use cases. To sum it up, know what you need out of the product and understand what it can do beyond your current scope as to why you're looking for that product, and utilize it to the fullest. My overall rating for this product is seven out of ten.

I use Splunk SOAR mainly for automating SOC operations and incident response workflow, and I integrate it with Splunk and Splunk ES. I have EDR tools, firewall logs, and Microsoft email, so I use it for email security. I have integrated it with my ticketing management service, ServiceNow, and most of my use cases are related to phishing investigation, brute force attacks, malware alerts, threat activity, suspicious login activity, and vulnerabilities from recently released software. Whenever an alert is triggered from Splunk or ES, Splunk SOAR automatically starts the playbook I have configured and gathers the logs to check against the threshold limit I have defined or enriches data with external services using Splunk SOAR playbooks. I then create incidents or take remediation actions according to the scenario or incident. This reduces the manual work of my SOC team.

In threat response, Splunk SOAR saves time. For example, with email phishing, it does save time, and for other situations like when I receive simultaneous IP hits from DDoS attacks, it will automatically detect that and send a message on Slack that this IP is hitting this machine at this rate based on the second or minute. I just need to confirm whether I want to block it or not. If I send yes, then it would directly block it into my firewall rules so that this IP should be blocked for this minute or something similar. Splunk SOAR is really saving my time. I can identify directly where this IP came from and whether it is from China or any part of the country. I detect or enrich the data using a playbook, and it saves a lot of time for SOC where actual SOC investigation is not needed. It plays a really good role.

In Splunk SOAR, playbooks provide a very key role in automation. I can enrich my IP, domain, and hashes or integrate it with other third-party tools like Slack or ServiceNow. I can send an email to the user or block a particular IP into my current firewalls and automate that using a playbook. The most valuable feature for me is playbook automations. There are pre-built playbooks, and I can build my own custom playbooks that speed up my incident response. Most of the time I am getting phishing mail, and then it is not necessary that I am already blocking that phishing mail since I do get newly phishing mails every day. I have written playbooks that will automatically define a rule at my email security that this phishing email I got is blocked. It is something I like most.

Apart from this, app integration and case management are valuable. The custom functions features that Splunk SOAR provides, such as Python custom functions, are also valuable. Engineers can easily write their rules or define their logic. Splunk SOAR saves time in threat response. As I have given the example about email phishing, it does save time there, and for other situations like when I receive simultaneously IP hitting from DDoS attacks, it will automatically detect that and send a message on Slack that this IP is hitting this machine at this rate based on the second or minute. I just need to confirm whether I want to block it or not. If I send yes, then it would directly block it into my firewall rules so that this IP should be blocked for this minute or something similar. Splunk SOAR is really saving my time. I can identify directly where this IP came from and whether it is from China or any part of the country. I detect or enrich the data using a playbook, and it saves a lot of time for SOC where actual SOC investigation is not needed. It plays a really good role.

I do not think there is anything currently, but as I grow, I can answer better on that. I can just expect some more integration from Splunk. There are vast possibilities to integrate with tools, or I can build my own custom solutions. I will be looking for more supported integrations from Splunk rather than depending on third-party solutions.

I started with a smaller environment and then I scaled up to the state that I am currently in.

In my environment, Splunk SOAR is pretty much stable. I have not faced any major issues. However, I have other services running on the same system that are causing Splunk SOAR issues. I am doing that to separate it out on a different machine.

I was analyzing what tools were available, but I have not found any other tools that were better for me because I was using other Splunk products. It would be great to have a Splunk product, and I went with Splunk SOAR.

As of now I am good with the overall guessing or remediation.

I was analyzing what tools were available, but I have not found any other tools that were better for me because I was using other Splunk products. It would be great to have a Splunk product, and I went with Splunk SOAR.

Deploying Splunk is very straightforward for me because at the time I was implementing it, my environment was small and I was just integrating two or three modules. It was very straightforward for me and the documentation helped me a lot to configure it. I have not faced such a high issue due to the Splunk community, which has a very active community, and I was able to find my answers there.

If it had impacted my system at that time, I would have needed to call my employees to please come online and try to see what is happening, but that was really saved by Splunk SOAR. Calling an employee on leave is not a good option, according to me.

That is managed by someone else in my team, and I will not be a good person to answer that. I was in talk with my team that whatever I am paying for Splunk SOAR and the licensing I have purchased is really in terms of a benefit to me. It is way below what it costs to hire some professionals to do only that type of work. It is very low and I get more control over my systems.

I was analyzing what tools were available, but I have not found any other tools that were better for me because I was using other Splunk products. It would be great to have a Splunk product, and I went with Splunk SOAR.

I rate Splunk SOAR a nine out of ten.

I don't have much hands-on experience with the solution. While I understand its capabilities regarding logging and reporting, I haven't had much direct involvement. The administration is handled by teams within the organization, including our SOC team and the managed security tools team. Our cybersecurity engineers are responsible for managing those aspects.

We receive reports that track user login activity. We get SOAR reports based on this activity, which inform us when someone hasn't logged in for a certain period of time. Our SOC analysts monitor alerts and investigate them. Sometimes, I need to review the information they send me to validate findings and determine whether there is any malicious activity or if it's just natural behavior within our environment.

While my primary role doesn't involve monitoring alerts, I do receive external reports from the system. Occasionally, I need to investigate tickets related to alerts. This involves working with engineers, cloud engineers, or system administrators for the flagged systems.

We aggregate data from sources such as CloudTrail and CloudWatch to provide a comprehensive view of activity across the entire environment. We maintain an enterprise cloud setup where we host our customers. The SOC has visibility into everything happening within the system and monitors external components as well, such as internet-facing elements. This allows them to detect any malicious activity or unauthorized access attempts to the network.

I don't have the metric on the time saved. However, I do see that the SOC team receives a lot of reports. I’m not sure of the exact number, but it’s like hundreds of thousands of alerts every month. A single person couldn't go through them all. Fortunately, the system helps to parse through these alerts and determine which ones are important and need further investigation.

It organizes the alerts in a way that makes it easier for the team to go through them. They wouldn't be able to manage that volume without some organization in place.

It has helped improve our organization’s business resilience. I believe we are currently preparing for a security assessment, and Splunk may be collecting some performance data as part of that. This data might be coming from our performance monitoring system, but I need to confirm. Overall, Splunk provides a wealth of information. Our performance monitoring tools detect high CPU utilization, monitor storage, and identify any abnormal activity in the environment. Additionally, some of our tools have machine learning capabilities, which I find very helpful.

It has some automated features, including alerting and the ability to set up notifications for different entities. This ensures that we are informed of any activity related to user accounts or privileged accounts. It helps identify instances where an account is not being used or when someone has left the organization, making it unnecessary to manually look up accounts. The integration of automation in the SOAR capability enhances this process. The automation reduces the need for manual searches. 

I'm not an expert on Splunk SOAR, but I'm sure our team members know what areas could be improved. I haven't spoken to them specifically about what could be improved or what they would want Splunk SOAR to improve.

We have been using this solution for about five years. 

It's been pretty reliable. I get some alerts as a security lead when there are auditing failures. We get a few of those occasionally, but it's not a common issue.

I haven't interacted with them directly, but the team has said their support is really good.

Positive

I do not have any experience with deploying Splunk SOAR. I know that the solution we’re using is cloud-based and hosted in a SaaS environment. Our team deploys agents and sets up the configurations for reporting. I can’t really speak to how complex the setup process is, but our teams could take advantage of or leverage the service.

I would rate this solution an eight out of ten.

One of the main use cases I worked with Splunk SOAR was for a bank, specifically HSBC Hong Kong, a central bank.

A success story where Splunk SOAR saved my team significant time was during implementation at the bank. Previously, the information of incidents was managed manually, often leading to human errors, but with Splunk SOAR's AI and ML capabilities, they no longer needed to spend excessive time consolidating reports.

I have experience with Splunk SOAR and am familiar with it as with similar products such as Splunk On-Call.

The automated patch management feature is what I appreciate most about Splunk SOAR compared to Devo, which includes vulnerability response capabilities, triggers, and the AI-assisted playbook for handling various vulnerabilities.

Splunk's Unified Platform helps consolidate networking, security, and IT observability tools. When integrating Splunk SOAR with the NOC or operations centers of customers, deep integrations can be achieved, for example, with Cisco Security Cloud and AI and machine learning capabilities, which enhance playbooks and incident analysis.

Splunk SOAR saves time in threat response, and the time to solve an incident is currently the best in the market.

My impressions of Splunk SOAR's ability to predict, identify, and solve incidents in real time depend on the customers. If customers have their playbooks or knowledge bases properly implemented beforehand, the real-time capabilities become effective, but often they do not, which creates challenges.

There are areas where Splunk SOAR can continue to improve, particularly regarding the synchronization of information, as sometimes it takes longer than other tools. While they offer fantastic regional support, such as Spanish technical support, there is still room for improvement.

I would rate Splunk SOAR support an eight out of ten because escalating a ticket to a higher level can take more time, indicating a need for a larger support team.

They have bottlenecks in their support system.

I have dealt with Splunk SOAR for about three years.

We purchased Splunk SOAR with a partner, Metabase Q, which is a main partner of Splunk, and they maintain a strong relationship with executives at both companies.

My experience with the pricing of Splunk SOAR is that it is expensive; however, it is the best, so if you want the best, you need to invest accordingly.

I rate Splunk SOAR a nine out of ten because it is really user-friendly, the time to value is great, and it is not complex compared to other solutions IBM, where you often need highly skilled engineers for implementation, while Splunk SOAR provides much functionality out of the box.

I gave this solution a rating of nine out of ten.

We have been using Splunk SOAR for analyzing threats and mitigating issues in cybersecurity. We provide input and SQL queries to Splunk SOAR, which analyzes the data and provides information on whether an IP address is legitimate or if it is a bot.

Splunk SOAR is user-friendly, and the SQL language inputs are intuitive. It provides precise information about what you are searching for.

I have used a couple of other cybersecurity tools in comparison. Splunk SOAR is more user-friendly than those tools and provides more precise and advanced information that we require to analyze whether a case is a true positive or false positive. It improves accuracy significantly.

Sometimes it lags when I am working on multiple things. Apart from that, every feature is useful.

Integration is an area for improvement. I would say it could include some other features that are present in IBM QRadar, which would be really helpful.

I have been using Splunk SOAR for around five years.

Sometimes it lags when I am working on multiple things.

Its scalability is really good.

The customer service is excellent. They are responsive whenever I try to reach them.

Positive

The solution has resulted in money saved.

Splunk SOAR is a very good application and a great tool to start your work with in cybersecurity. It will provide you with deeper investigation capabilities. The SQL language and other features will help you learn more. Compared to IBM QRadar, Splunk SOAR is a really excellent tool. I would rate this product an 8 out of 10.

We have it interconnected with Enterprise Security. We use what's called Mission Control. There are two products for Splunk SOAR: Mission Control and Phantom. We're using Mission Control to forward automated alerts to our SOC analysts.

Being able to integrate with Enterprise Security is a big plus. I can assign admins or analysts roles to manage Mission Control or Splunk SOAR, which is very beneficial. The solution has been effective because we were able to filter out non-important alerts and focus on the important ones. Using playbooks has shortened the mean time to remediate.

It would be nice if we could put it on other search heads, not just Enterprise Security. We have an ad hoc search head, and compatibility with that would be beneficial. More training classes from Splunk University would also be good.

We have been using the solution for about a year now.

There were minor issues with modifying the playbooks and integrating new alerts. The system hasn't stopped working or failed, so it's performing well.

I haven't experienced any scalability issues yet.

The customer service is good and pretty intuitive.

I have personally used LogRhythm's product, though I cannot recall its specific name.

The initial setup was fairly easy.

We implemented using Splunk's version.

We have seen positive ROI using various techniques, including risk-based alerting and enabling or disabling false positive alerts.

The solution is free for us, which is a beneficial aspect.

We did consider alternate solutions.

Splunk SOAR has been integrated into Enterprise Security 8.1, making it easier to configure. This feature was released about a month ago. The benefits were immediate when we started using Mission Control Splunk SOAR over a year ago. It has made it easier for our analysts to work on alerts using playbooks and forward them. The implementation took approximately four weeks, with about 30% improvement in efficiency and 20% in overall performance. The solution offers more capabilities and better integrations with Enterprise Security. I would rate this solution a nine out of ten.

My use case for the solution is basically focused on deploying and configuring data related to Splunk, upgrading the Splunk SOAR instances, implementing role-based access controls for different users, and performing system performance tasks, along with resolving logs and connectivity-related issues. 

Additionally, I handle integrations with SIEM tools such as Splunk and EDR, firewalls, and threat platforms.

Implementing Splunk SOAR has significantly benefited our business. It has made a huge impact across security operations and the business overall. The biggest improvement is in speed, consistency, and scalability of responses. With automation of over 60% of repetitive tasks, it has significantly improved efficiency in threat triage and ticketing.

Splunk SOAR has saved us dozens of hours every month by automating tasks, which has reduced the manual workloads significantly for level one and level two analysts.

Splunk SOAR has reduced our Mean Time to Detect by approximately 30% to 40%. The Mean Time To Resolve is approximately reduced by 30% to 40%.

Splunk SOAR absolutely improves our ability to investigate and gain end-to-end visibility and effectively remediate threats across our environments.

Visualizing and troubleshooting our cloud-native environment with Splunk SOAR is fast. It enables informed investigations with centralized timelines and helps with immediate responses by gathering data from all SIEM, EDR, and threat feeds.

Splunk SOAR has saved us time in alert triage. It saves about 20 to 25 minutes per alert by gathering data and checking regulations.

Splunk SOAR has saved us time in threat response, reducing it by approximately 30% to 50%.

Splunk SOAR has helped consolidate multiple tools used in the business, such as security tools and threat intelligence tools, into a singular workflow.

The best feature in Splunk SOAR is the visual Playbook Editor. The drag-and-drop interfaces make visualizations and understanding workflows easy. Moreover, Splunk SOAR supports over 300 integrations with SIEM tools, EDR, firewalls, and threat and cloud platforms. We can also build apps using Python.

Creating playbooks using the Playbook Editor in Splunk SOAR is easy. The editor is designed to be user-friendly with visual drag and drop features, allowing for easy workflows without writing any code. Simple playbooks, such as IP reputation checks and ticket creation, can be built in just a few minutes, while complex playbooks involving loops and API calls are manageable as well.

The visibility of the Playbook Viewer is one of the key strengths for Splunk SOAR. It provides a centralized view of an incident from alert to response within a single container and allows you to have action-level transparency by logging each action in real-time. You can click through each step to check input and output status and logs, along with a timeline view for incidents, which aids in the entire investigation.

Splunk SOAR's ability to integrate with systems and applications in our environment is extensive. It supports a wide range of apps and tools, such as firewalls, ticketing systems including Jira, and cloud platforms like AWS and Azure. It also had easy API-based custom integrations.

There are areas in Splunk SOAR that have room for improvement. To make Splunk SOAR a better solution, there could be better built-in debugging tools, smarter playbook suggestions, and enhanced lifecycle management. Real-time collaboration features, more granular metrics, and improved reporting for dashboards would also be beneficial.

I have been using Splunk SOAR for about 5 to 6 years. I am involved in the Splunk Administration and Splunk Analyst roles.

Considering performance and other factors, I would rate its stability an eight out of ten.

It can be extended and adapted as necessary. I would rate its scalability as an eight out of ten.

In my team, there are 10 to 15 active users working on Splunk SOAR. We are a large organization.

I would rate Splunk's technical support as a nine.

Positive

Before using Splunk SOAR, my team utilized various tools, including networking tools and SIEM tools, to assist our SecOps team in performing investigations.

As compared to other SOAR solutions, Splunk SOAR is the most flexible platform available in the market, especially in terms of integration capabilities and compatible playbooks. It has strong alignment with Splunk Enterprise Security compared to tools like IBM SOAR, which may lack flexibility.

It wasn't very easy. It includes a lot of techniques and methods. It takes a couple of days to deploy.

It didn't take much time to train my SOC team on how to use playbooks after implementing Splunk SOAR. As a SOC team, we routinely deal with incident responses and track day-to-day activities using various tools, including Splunk. Splunk effectively gathers information regarding unauthorized user access, which helps us track and analyze them swiftly.

Splunk SOAR is moderately priced, neither cheap nor overly expensive.

I would absolutely recommend Splunk SOAR to other users, but it also depends on their specific use cases for threat incidents and professional needs.

Overall, I would rate Splunk SOAR an eight out of ten.

I use Splunk to detect threats and conduct threat analysis. The solution monitors, models, and analyzes all security events in our cloud environment's production areas and mitigates threats.

Before we used Splunk SOAR, we didn't know how much traffic was coming in or what security threats were happening on our servers. We could not monitor the entire production environment. Splunk enables us to perform monitoring, threat hunting, threat analysis, and reporting on the risks and impact on our business. 

Splunk improves our business resilience because it's a powerful tool that can monitor our servers and improve our web business by reducing security threats.  Before Splunk, security threats heavily impacted our production environments. 

In the past, we had to monitor all our servers manually, but now that we have implemented SOAR in our production environment, we no longer need to monitor everything 24/7. It sends alerts to our emails, saving us time that we can spend on other tasks. It reduces our monitoring time by about 50 percent. Splunk speeds up our response time by 20 percent. 

Splunk can integrate and manage multiple solutions simultaneously. It has reduced our alert volume and improved our security. We can show our clients that we're monitoring all the production environments and mitigating events as they happen. It has improved our security posture and reduced the risk.

Splunk has many features that make work easier, and it's simple to implement in a large production environment. Splunk collects a massive amount of data from cloud servers and handles it perfectly. 

It manages the whole thread of data security logs and visualizes the data, making it easier to view everything. Splunk gives you end-to-end visibility of your on-prem environment, enabling you to troubleshoot issues easily. 

Splunk integrates easily with the AWS cloud and also other clouds like GCP and Azure. It quickly and efficiently captures all the logs from the cloud just like it was capturing logs from your on-premises environment.

The dashboard could be improved and some other features. SOAR should integrate network capabilities, allowing us to also monitor the WLAN network. Splunk is also expensive and difficult for beginners to learn. It's hard for a new user to figure out how to visualize old threat data. It took two to three months to learn with hands-on experience how to use the dashboard, visualize events, and analyze threats. 

I used Splunk SOAR for about a year at the company I just left. 

I rate Splunk SOAR eight out of 10 for stability. 

I rate Splunk SOAR nine out of 10 for scalability.

I rate Splunk support eight out of 10.

Positive

I previously worked with Wazoo, and Splunk is a much better SOAR solution. 

Splunk SOAR is deployed on the cloud. The initial deployment wasn't complex, but implementing it on our production servers was a bit difficult because we had to deploy agents to more than 60 servers. It requires a little maintenance, such as upgrades and changing the dashboard. Installing it to a new production server takes a day to reconfigure. 

Once Splunk is fully deployed, we can realize the full benefit. Implementing the solution across all our servers took a week.

I rate Splunk SOAR two out of 10 for affordability. Splunk is a fast enterprise tool, but it costs too much. At the same time, it's worth what we pay, in my opinion. We can efficiently perform all the functions and tie together the data. It's the perfect tool for our needs. 

I rate Splunk SOAR eight out of 10. I recommend Splunk if the company can afford it. It's suitable for a large organization that requires security monitoring. It's the best tool for threat hunting and analysis. 

Splunk SOAR, formerly Splunk Phantom, is a powerful automation platform with a high security focus, but it is also usable for any other general tasks such as putting a server off the network, restarting services, performing health checks, performing data enrichment by collecting information from different sources and combining, analyzing, and providing precise information about several topics. It has a variety of options, and what can stop you is just your creativity.

Splunk SOAR has a user-friendly interface that simplifies playbook creation. While some initial training is helpful, the drag-and-drop functionality and pre-built code generation features make it accessible even for those without extensive coding experience. This ease of use allows teams to quickly automate incident response tasks, reducing the business impact.

Splunk SOAR helps us improve our data collection and automate operational tasks. While it enriches data, some actions require approval or additional information. For application outages, immediate action is crucial to avoid business impact, and time to respond is key to be able to identify the root cause of issues. For example, if a database server goes down, if the analyst doesn't check the issue right after it occurs, they may end up losing precious logs, which would help them identify the issue and avoid reoccurrence. Additionally, manual database tasks like service restarts or log checks are time-consuming. Splunk SOAR automates these tasks, enriching our log collection, running health checks, and generating reports for the database team. This allows for faster issue identification and resolution, ultimately contributing to high system availability and minimal customer impact.

It provides a comprehensive solution for our environment's health. Splunk offers two key products: Splunk as an observability tool that detects critical issues, and Splunk SOAR, an automation platform that enriches data and even automates remediation actions.

SOAR offers easy integration with various tools. We can leverage pre-built apps for common integrations or create custom ones. While Splunk integrations are automatic, SOAR's API allows us to send data from any observability tool using the SOAR API. This API offers different options to manage the platform, and one of the options is to create a container in SOAR, which can trigger the appropriate playbook based on a label name, simplifying integration with new tools and accelerating proof-of-concept deployments.

Implementing a SOAR platform significantly improved our IT operations. Previously, frequent application downtime overwhelmed our busy operations team, forcing them to prioritize and leave some issues unresolved. SOAR automation relieved this pressure by allowing us to create playbooks that automatically detect and fix recurring problems. While the initial setup required developing playbooks and standards, the resulting reduction in alerts and faster issue resolution freed up the operations team's time and had a major positive impact on our overall IT environment.

Our mean time to detect is within seconds. Before SOAR, manually detecting and resolving server issues was slow and unreliable. It could take hours for an overloaded team to identify a problem, and even longer to fix it, potentially impacting customers. SOAR automates this process, triggering immediate responses that take seconds, minimizing downtime, and ensuring a smooth customer experience.

Our mean time to resolution is improved. SOAR helps resolve issues quickly by automating tasks through playbooks. When an issue is detected, SOAR can run a playbook to fix it or provide more information to analysts, expediting resolution.

SOAR has significantly improved our efficiency by automating manual tasks. This frees our IT staff to focus on resolving issues faster and tackling more complex projects.

SOAR allows custom code to be written and integrates with various technologies through pre-built apps like Windows Remote Management or custom apps we can build ourselves like a secret retrieval app from our vault. Playbooks, built with drag-and-drop and custom functions, provide further flexibility for developers to tailor the solution to their specific needs.

While there have been improvements to the investigation process, particularly with the playbook data, the current log review method is cumbersome. Scrolling through massive, unsearchable logs is inefficient. Ideally, the system would offer search functionality or even AI-powered analysis to pinpoint issues quickly, saving time spent sifting through text.

SOAR's development efficiency can be enhanced by incorporating AI to assist in writing custom code, eliminating the need to start from scratch. This AI-powered approach would significantly reduce the time required to develop playbooks.

I have been using Splunk SOAR for over five years.

SOAR is stable. In the last three years, we only had it go down twice, which was related to a server issue.  

SOAR is designed to grow with our needs by allowing us to add more hardware to handle increased workloads. This makes it a good fit since scalability was a major factor in our evaluation. On top of that, SOAR's customizable platform ensures it can be tailored to our specific requirements.

During playbook development, we encountered technical issues with the playbook feature itself, requiring vendor assistance. Their expertise was invaluable. Not only did they resolve the immediate problems, but they also proactively suggested improvements to our SOAR platform coding for better speed and overall performance.

Positive

Having experience with various automation tools, including Microsoft Orchestrator, Ansible, Rundek, I find SOAR to be the most user-friendly. In fact, after exploring most market offerings, Splunk SOAR stands out for its comprehensive feature set, surpassing any other platforms we've previously used.

The deployment required one member from our team and one from the SOAR team.

Implementing Splunk SOAR was made significantly easier with the support and expertise of the vendor's team. Their deep knowledge of the platform and extensive deployment experience proved invaluable, allowing for a smoother and more efficient implementation process overall.

While the exact pricing for Splunk SOAR is not known to me, I've heard from some colleagues that it may be on the more expensive side compared to other automation tools. However, the general consensus seems to be that the investment in Splunk SOAR pays off once you start utilizing its capabilities and automating your workflows. By automating tasks and freeing up resources, Splunk SOAR can provide a strong return on investment in the long run, despite the potentially higher upfront cost.

I have evaluated different automation platforms, such as Microsoft Orchestrator, Ansible and Rundeck.

I would rate Splunk SOAR nine out of ten. I am deducting one point because it is tedious to go through the logs manually.

SOAR allows for cloud and on-premise deployment, and I favor the on-premise option for enhanced security. Since some automation has extensive access to our internal systems, any internet communication during operation raises the potential for breaches.

I primarily use the solution for incident investigations. 

We can make custom playbooks and use the Playbook Editor to do so. The Playbook is my favorite feature, it's quite useful. There are a lot of automation capabilities.

Its visibility is good. It's end-to-end. We can see incidents across our environment. We've been satisfied with the level of visibility so far. 

The automation helps save us time. We've saved a lot of time researching incidents. If we do resolutions manually, it can take up to 15 minutes. With Splunk's automation and Playbook, we can resolve issues within two to three minutes. 

We have Splunk integrated with other tools and systems. Some are using, for example, Carbon Black EDR. It's very flexible. It works with various third-party tools. Which we use depends on the customer. 

The solution provides good business resilience. It helps with real-time detection and resolutions. With automation, our real-time alerting is quite good. 

Splunk integrates with many products. It provides us with good information for us to be able to do our jobs.

We have been able to reduce the use of other tools. When we use Splunk, we tend to just focus on Splunk's findings, only. We do a lot of investigations using Splunk. It makes the process easier. 

We've noticed a reduction in security event volume. It's helped us to reduce a lot. We've been able to reduce the mean time to detect by 30% to 40%. It's also helped us reduce the mean time to resolve by almost 50% to 60%. We have a lot of customers and a lot of alerts typically, so we've always had a lot to deal with. 

I haven't had any issues with the solution so far. 

I've used the solution for three months.

The solution is really scalable. We are using it across multiple customers and handle multiple alerts. 

We are able to connect with support if we have issues. 

Positive

Right now, we also have IBM. However, mostly, we use Splunk. Our customers prefer Splunk over IBM thanks to the playbooks on offer. The appearance of Splunk is also better. Splunk has a strong reputation in the space. It makes investigations easier.

The deployment process is straightforward. Our deployment team will deploy it for customers. It will take two to three days, depending on our customer's servers. 

We can train employees on how to use Playbooks within two months. 

We help our clients deploy Splunk. 

The cost is as expected. It can be a bit high, however, we get a better rate between us and our third party. We provide services to clients if they purchase Splunk SOAR which gives them good value. 

I'd rate the solution nine out of ten.