Splunk SOAR Reviews

One of the main use cases I worked with Splunk SOAR was for a bank, specifically HSBC Hong Kong, a central bank.

A success story where Splunk SOAR saved my team significant time was during implementation at the bank. Previously, the information of incidents was managed manually, often leading to human errors, but with Splunk SOAR's AI and ML capabilities, they no longer needed to spend excessive time consolidating reports.

I have experience with Splunk SOAR and am familiar with it as with similar products such as Splunk On-Call.

The automated patch management feature is what I appreciate most about Splunk SOAR compared to Devo, which includes vulnerability response capabilities, triggers, and the AI-assisted playbook for handling various vulnerabilities.

Splunk's Unified Platform helps consolidate networking, security, and IT observability tools. When integrating Splunk SOAR with the NOC or operations centers of customers, deep integrations can be achieved, for example, with Cisco Security Cloud and AI and machine learning capabilities, which enhance playbooks and incident analysis.

Splunk SOAR saves time in threat response, and the time to solve an incident is currently the best in the market.

My impressions of Splunk SOAR's ability to predict, identify, and solve incidents in real time depend on the customers. If customers have their playbooks or knowledge bases properly implemented beforehand, the real-time capabilities become effective, but often they do not, which creates challenges.

There are areas where Splunk SOAR can continue to improve, particularly regarding the synchronization of information, as sometimes it takes longer than other tools. While they offer fantastic regional support, such as Spanish technical support, there is still room for improvement.

I would rate Splunk SOAR support an eight out of ten because escalating a ticket to a higher level can take more time, indicating a need for a larger support team.

They have bottlenecks in their support system.

I have dealt with Splunk SOAR for about three years.

We purchased Splunk SOAR with a partner, Metabase Q, which is a main partner of Splunk, and they maintain a strong relationship with executives at both companies.

My experience with the pricing of Splunk SOAR is that it is expensive; however, it is the best, so if you want the best, you need to invest accordingly.

I rate Splunk SOAR a nine out of ten because it is really user-friendly, the time to value is great, and it is not complex compared to other solutions IBM, where you often need highly skilled engineers for implementation, while Splunk SOAR provides much functionality out of the box.

I gave this solution a rating of nine out of ten.

I don't have much hands-on experience with the solution. While I understand its capabilities regarding logging and reporting, I haven't had much direct involvement. The administration is handled by teams within the organization, including our SOC team and the managed security tools team. Our cybersecurity engineers are responsible for managing those aspects.

We receive reports that track user login activity. We get SOAR reports based on this activity, which inform us when someone hasn't logged in for a certain period of time. Our SOC analysts monitor alerts and investigate them. Sometimes, I need to review the information they send me to validate findings and determine whether there is any malicious activity or if it's just natural behavior within our environment.

While my primary role doesn't involve monitoring alerts, I do receive external reports from the system. Occasionally, I need to investigate tickets related to alerts. This involves working with engineers, cloud engineers, or system administrators for the flagged systems.

We aggregate data from sources such as CloudTrail and CloudWatch to provide a comprehensive view of activity across the entire environment. We maintain an enterprise cloud setup where we host our customers. The SOC has visibility into everything happening within the system and monitors external components as well, such as internet-facing elements. This allows them to detect any malicious activity or unauthorized access attempts to the network.

I don't have the metric on the time saved. However, I do see that the SOC team receives a lot of reports. I’m not sure of the exact number, but it’s like hundreds of thousands of alerts every month. A single person couldn't go through them all. Fortunately, the system helps to parse through these alerts and determine which ones are important and need further investigation.

It organizes the alerts in a way that makes it easier for the team to go through them. They wouldn't be able to manage that volume without some organization in place.

It has helped improve our organization’s business resilience. I believe we are currently preparing for a security assessment, and Splunk may be collecting some performance data as part of that. This data might be coming from our performance monitoring system, but I need to confirm. Overall, Splunk provides a wealth of information. Our performance monitoring tools detect high CPU utilization, monitor storage, and identify any abnormal activity in the environment. Additionally, some of our tools have machine learning capabilities, which I find very helpful.

It has some automated features, including alerting and the ability to set up notifications for different entities. This ensures that we are informed of any activity related to user accounts or privileged accounts. It helps identify instances where an account is not being used or when someone has left the organization, making it unnecessary to manually look up accounts. The integration of automation in the SOAR capability enhances this process. The automation reduces the need for manual searches. 

I'm not an expert on Splunk SOAR, but I'm sure our team members know what areas could be improved. I haven't spoken to them specifically about what could be improved or what they would want Splunk SOAR to improve.

We have been using this solution for about five years. 

It's been pretty reliable. I get some alerts as a security lead when there are auditing failures. We get a few of those occasionally, but it's not a common issue.

I haven't interacted with them directly, but the team has said their support is really good.

Positive

I do not have any experience with deploying Splunk SOAR. I know that the solution we’re using is cloud-based and hosted in a SaaS environment. Our team deploys agents and sets up the configurations for reporting. I can’t really speak to how complex the setup process is, but our teams could take advantage of or leverage the service.

I would rate this solution an eight out of ten.

We have it interconnected with Enterprise Security. We use what's called Mission Control. There are two products for Splunk SOAR: Mission Control and Phantom. We're using Mission Control to forward automated alerts to our SOC analysts.

Being able to integrate with Enterprise Security is a big plus. I can assign admins or analysts roles to manage Mission Control or Splunk SOAR, which is very beneficial. The solution has been effective because we were able to filter out non-important alerts and focus on the important ones. Using playbooks has shortened the mean time to remediate.

It would be nice if we could put it on other search heads, not just Enterprise Security. We have an ad hoc search head, and compatibility with that would be beneficial. More training classes from Splunk University would also be good.

We have been using the solution for about a year now.

There were minor issues with modifying the playbooks and integrating new alerts. The system hasn't stopped working or failed, so it's performing well.

I haven't experienced any scalability issues yet.

The customer service is good and pretty intuitive.

I have personally used LogRhythm's product, though I cannot recall its specific name.

The initial setup was fairly easy.

We implemented using Splunk's version.

We have seen positive ROI using various techniques, including risk-based alerting and enabling or disabling false positive alerts.

The solution is free for us, which is a beneficial aspect.

We did consider alternate solutions.

Splunk SOAR has been integrated into Enterprise Security 8.1, making it easier to configure. This feature was released about a month ago. The benefits were immediate when we started using Mission Control Splunk SOAR over a year ago. It has made it easier for our analysts to work on alerts using playbooks and forward them. The implementation took approximately four weeks, with about 30% improvement in efficiency and 20% in overall performance. The solution offers more capabilities and better integrations with Enterprise Security. I would rate this solution a nine out of ten.

We have been using Splunk SOAR for analyzing threats and mitigating issues in cybersecurity. We provide input and SQL queries to Splunk SOAR, which analyzes the data and provides information on whether an IP address is legitimate or if it is a bot.

Splunk SOAR is user-friendly, and the SQL language inputs are intuitive. It provides precise information about what you are searching for.

I have used a couple of other cybersecurity tools in comparison. Splunk SOAR is more user-friendly than those tools and provides more precise and advanced information that we require to analyze whether a case is a true positive or false positive. It improves accuracy significantly.

Sometimes it lags when I am working on multiple things. Apart from that, every feature is useful.

Integration is an area for improvement. I would say it could include some other features that are present in IBM QRadar, which would be really helpful.

I have been using Splunk SOAR for around five years.

Sometimes it lags when I am working on multiple things.

Its scalability is really good.

The customer service is excellent. They are responsive whenever I try to reach them.

Positive

The solution has resulted in money saved.

Splunk SOAR is a very good application and a great tool to start your work with in cybersecurity. It will provide you with deeper investigation capabilities. The SQL language and other features will help you learn more. Compared to IBM QRadar, Splunk SOAR is a really excellent tool. I would rate this product an 8 out of 10.

I use the solution for incident response and automation.

The product helps with workflow reduction. The manual efforts required have been reduced. It contributes to optimization. The extent of workflow reduction varies depending on the instance. Manual intervention is required for critical processes. If it is not critical, we can automate it.

The product provides 100% automation for certain processes. It needs no manual intervention. We can integrate various tools like VirusTotal and ServiceNow. We can automate all the tasks. It is one of the best things about the tool. It also provides workforce protection.

Whenever we get any alerts or make any configurations, we develop workflow automation using the playbooks. We can fully automate some of the security incident resolutions. We can also do identification and redirection using the product.

I have integrated Splunk Phantom with Splunk Cloud. Previously, I used it with Splunk on-premise to get the logs into Splunk for tracking and audit purposes. Since Splunk is a SaaS-based product, it has certain maintenance windows. Over time, the vendor does some maintenance during off-production hours.

Creating playbooks using the solution’s playbook editor is not tough. For someone who knows the solution, I rate the ease of creating playbooks as four out of five. The solution’s playbook viewer provides full visibility. The product provides different integrations. We can easily integrate the tool with VirusTotal, ServiceNow, and the asset and identity management system.

The product is somewhat easier to use in an investigation. We have been able to identify the false positives using the product. The tool has helped reduce false positives by 30%. Splunk SOAR has helped reduce our mean time to detect by 10% to 15%. Splunk SOAR has a major impact on our meantime to resolve. Our mean time to resolve has been reduced by 35% to 40%.

I have integrated VirusTotal with Splunk SOAR. Instead of doing manual checks, I can easily get the score by integrating the tool with Splunk SOAR. I have also synced Active Directory with the asset and identity management system.

It's been a long time since we have implemented Splunk SOAR. It brings value to our organization. Before Splunk SOAR, everything was done using manual intervention. We had to educate the SOC team on how to do tasks. We also had to create playbooks for them. With Splunk SOAR, we only have to educate the team about how things are done so that they can perform a manual intervention when there is a failure, which is rare.

After deploying the product, we had to provide some training to the SOC team. After getting trained, it was hands-on. Along with other Splunk solutions, Splunk SOAR provides the resilience to face any issues and hardships. We easily cope with downtimes.

Splunk SOAR offers us end-to-end visibility across our environment. It depends on how much we utilize it. Visualizing and troubleshooting our cloud-native environment using Splunk SOAR is somewhat easy. I have to coordinate with the Phantom administrators if there is any issue. I work mostly on playbook development and integrating it with security instances.

The solution must provide more AIOps to improve predictability.

I have been using Splunk SOAR for three to four years.

The tool is stable because it is completely SaaS-based.

The SOC and engineering teams use the solution. The engineering team uses it to automate tasks. We have around 30 to 40 users. We were not using the tool completely initially. Once we started using it, we scaled it. We have also increased the number of product licenses. Our clients are enterprise-level businesses.

I've been using Splunk products for a long time. Overall, I am pretty satisfied with the quality of service of the support team.

Positive

Splunk SOAR is SaaS-based. The deployment takes a few months to stabilize. We have a Splunk team that manages the deployment. Two to three people are involved in the deployment.

Everything good comes with a price. The tool is not cheap. However, if we use it to its full potential, it will be beneficial.

Overall, I rate the product an eight out of ten.

I use Splunk to detect threats and conduct threat analysis. The solution monitors, models, and analyzes all security events in our cloud environment's production areas and mitigates threats.

Before we used Splunk SOAR, we didn't know how much traffic was coming in or what security threats were happening on our servers. We could not monitor the entire production environment. Splunk enables us to perform monitoring, threat hunting, threat analysis, and reporting on the risks and impact on our business. 

Splunk improves our business resilience because it's a powerful tool that can monitor our servers and improve our web business by reducing security threats.  Before Splunk, security threats heavily impacted our production environments. 

In the past, we had to monitor all our servers manually, but now that we have implemented SOAR in our production environment, we no longer need to monitor everything 24/7. It sends alerts to our emails, saving us time that we can spend on other tasks. It reduces our monitoring time by about 50 percent. Splunk speeds up our response time by 20 percent. 

Splunk can integrate and manage multiple solutions simultaneously. It has reduced our alert volume and improved our security. We can show our clients that we're monitoring all the production environments and mitigating events as they happen. It has improved our security posture and reduced the risk.

Splunk has many features that make work easier, and it's simple to implement in a large production environment. Splunk collects a massive amount of data from cloud servers and handles it perfectly. 

It manages the whole thread of data security logs and visualizes the data, making it easier to view everything. Splunk gives you end-to-end visibility of your on-prem environment, enabling you to troubleshoot issues easily. 

Splunk integrates easily with the AWS cloud and also other clouds like GCP and Azure. It quickly and efficiently captures all the logs from the cloud just like it was capturing logs from your on-premises environment.

The dashboard could be improved and some other features. SOAR should integrate network capabilities, allowing us to also monitor the WLAN network. Splunk is also expensive and difficult for beginners to learn. It's hard for a new user to figure out how to visualize old threat data. It took two to three months to learn with hands-on experience how to use the dashboard, visualize events, and analyze threats. 

I used Splunk SOAR for about a year at the company I just left. 

I rate Splunk SOAR eight out of 10 for stability. 

I rate Splunk SOAR nine out of 10 for scalability.

I rate Splunk support eight out of 10.

Positive

I previously worked with Wazoo, and Splunk is a much better SOAR solution. 

Splunk SOAR is deployed on the cloud. The initial deployment wasn't complex, but implementing it on our production servers was a bit difficult because we had to deploy agents to more than 60 servers. It requires a little maintenance, such as upgrades and changing the dashboard. Installing it to a new production server takes a day to reconfigure. 

Once Splunk is fully deployed, we can realize the full benefit. Implementing the solution across all our servers took a week.

I rate Splunk SOAR two out of 10 for affordability. Splunk is a fast enterprise tool, but it costs too much. At the same time, it's worth what we pay, in my opinion. We can efficiently perform all the functions and tie together the data. It's the perfect tool for our needs. 

I rate Splunk SOAR eight out of 10. I recommend Splunk if the company can afford it. It's suitable for a large organization that requires security monitoring. It's the best tool for threat hunting and analysis. 

I use Splunk SOAR to create automation for our SOC team. These automations integrate with third-party applications, which is a key requirement for our SOC.

Splunk makes creating playbooks simple with its GUI. We can build playbooks by dragging and dropping different elements, eliminating the need for complex coding.

The visibility of the playbook viewer is good. We can add custom code while developing the playbook if required.

Splunk SOAR provides end-to-end visibility into our environment.

Troubleshooting our cloud-native environment with Splunk SOAR is a breeze thanks to its intuitive graphical interface. Unlike traditional tools requiring command lines, Splunk SOAR lets us manage integrations and cloud access entirely within the user-friendly GUI, streamlining the process.

Splunk SOAR has significantly reduced our manual workload by automating many previously time-consuming processes. We only began to see the full benefits after about five months.

Splunk simplifies security investigations by offering pre-built processes and leveraging the rich functionality embedded within Phantom's alerts. This combination provides a powerful toolkit for investigators.

Splunk SOAR has significantly improved our security alert resolution efficiency. While the specific time saved depends on the individual case, we've seen a general reduction in resolution time from around 20 minutes to five minutes thanks to the variety of use cases it supports.

Splunk has reduced our mean time to detection by 15 minutes.

Our mean time to resolution is now down to five minutes.

Splunk SOAR streamlined our security operations by consolidating multiple tools. We've successfully integrated and replaced approximately 15 individual applications into a more unified environment.

The most valuable features are the third-party integrations and the playbook development that can be done using Python.

Splunk SOAR's extensive library of pre-built integrations allows it to connect with a vast array of popular security and IT applications, streamlining workflows across our existing security stack. This includes tools like Salesforce, Microsoft Outlook, and abuseIP, empowering our organization's SOC and security teams to leverage these familiar applications within SOAR's automation and orchestration capabilities.

Playbooks offer significant room for improvement, as custom code is often required during development. Various aspects of the playbook development process itself can be optimized.

I have been using Splunk SOAR for one and a half years.

Splunk SOAR is extremely stable.

Splunk SOAR is scalable to our needs.

The technical support is good.

Positive

I would rate Splunk SOAR five out of ten.

Early on, we encountered some issues automating tasks with playbooks. However, a recent Splunk version upgrade resolved those problems.

We have 50 users spread across different regions.

The resilience of Splunk SOAR is great.

A thorough evaluation of the SOAR landscape is recommended to identify the best fit for your needs. If Splunk aligns with your requirements after this assessment, it can be a strong option.