We use it for risk management. And, we're trying to automate our L1 and L2 agents' functionalities. Through automation, we're trying to reduce the effort that is put in by an agent.
Senior Technical Specialist at a financial services firm with 10,001+ employees
Automation we have implemented has cut our agents' workload significantly, but playbook editor needs some work
Pros and Cons
- "It's pretty easy when it comes to setting up assets. If you want to fetch emails or call a REST API, you can set up an asset and grab that information."
- "Creating playbooks using the solution’s playbook editor, for me, is very cumbersome. There have been instances where I have said to myself that I just don't want to use this editor. I might just use a code block and write my own code within it... The functionality in the playbook editor is 80 percent there, but that 20 percent is still lacking. They could make it more efficient."
What is our primary use case?
How has it helped my organization?
The amount of time that our L1 and L2 agents used to take to do a simple task was about 40 hours per week. Using SOAR and automation we have reduced that to 10 to 15 hours per week. That is a big win. Building up the playbooks helps with the daily investigations for our agents and risk management team.
It has also helped to reduce our mean time to detection. Something that used to take, on average, 30 minutes now takes about five minutes. It really depends on the kind of event it is. And it has definitely helped free up our IT staff for other projects.
Splunk SOAR has also reduced our dependency on UBA, although we still use it. And similarly, while we still use Splunk Enterprise Security (ES) for threat detection, SOAR has reduced our dependency on that by using it for investigation. Of course, ES has to be there as it is receiving feeds, but the SOAR/ES collaboration is just a better way to function.
What is most valuable?
It's pretty easy when it comes to setting up assets. If you want to fetch emails or call a REST API, you can set up an asset and grab that information. Of course, we need to do some improvisation as far as coding is concerned, but you can just set up an asset such as O365. Or, if you are looking for any of the threat feeds, you can just set up an asset and they're readily available. You can then grab that particular information or those logs and bring them into SOAR.
Another good aspect is SOAR's ability to integrate with other systems and applications. We haven't faced any challenges with that. It's pretty simple and easy.
And although I'm more of a developer as opposed to an end-user, the reviews that we get from our end-users are that they picked it up pretty quickly. Based on that feedback I would say using SOAR for an investigation is pretty easy and convenient.
What needs improvement?
Creating playbooks using the solution’s playbook editor, for me, is very cumbersome. There have been instances where I have said to myself that I just don't want to use this editor. I might just use a code block and write my own code within it. I've tried using the editor for some of our playbooks, but I find it's cumbersome. It's easy to drag things in the GUI, but for the actual coding part and joining those bits in a full code, it's not as good as I would like. They have tried to make it as simple as possible, but its functionality is not up to the mark.
The functionality in the playbook editor is 80 percent there, but that 20 percent is still lacking. They could make it more efficient.
Buyer's Guide
Splunk SOAR
August 2025

Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,497 professionals have used our research since 2012.
For how long have I used the solution?
I've been using Splunk SOAR for almost two years.
What do I think about the stability of the solution?
Initially, there was some lagging, but there are no issues at all now.
How are customer service and support?
I'm pretty impressed with Splunk's customer support. They're pretty responsive and I appreciate that.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We were using Phantom, which is a Splunk product, but they asked every customer to migrate from Phantom to SOAR. In my opinion, it's still the same thing, but in a more improvised way.
How was the initial setup?
It is a cloud solution for us. The deployment was in between straightforward and complex.
Training our SOC team to use the playbooks happened pretty quickly. After a couple of weeks, we were up and running.
We have somewhere between 30 and 50 users of SOAR, and there is no maintenance on our side.
What about the implementation team?
Splunk employees helped us out.
What was our ROI?
It took us four to five months to see value from SOAR, it didn't happen right away. But that was because we were still building up the environment, including the playbooks.
What other advice do I have?
Initially, we were trying to use it as a case management system, but after a lot of development, it wasn't up to the mark for the end requirements that we had from the business for that. SOAR is more of an orchestration and automation tool. Using it for case management was not appropriate on our end.
My advice is that if you are already using other products from Splunk, like Splunk ES or Splunk Core, first try to refine your logs to make them SaaS-compliant. I don't think SOAR accepts a SIEM model, it's more of a SaaS. Start looking at the logs and making them compliant if you want to bring some of your logs into SOAR. Also, spell out the integrations you require, the type of functionality you want to use it for.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.

Security Architect at University of Maryland
Takes most of the work away, but the time they take to implement new features is a little bit of concern
Pros and Cons
- "The playbooks are valuable. They are the core component. Being able to implement and build a code process to work through and scale out what we want to do is valuable."
- "have put a number of ideas on the ideas.splunk.com site for feature requests for the Splunk SOAR product. I posted one of them about three years ago, which finally got implemented in the latest release that just got announced, so the time to implement new features and things like that is a little bit concerning."
What is our primary use case?
We have a couple of different use cases. A lot of it started out in our security space, and we have use cases related to our legal and withhold process. We manage and handle our phishing and spam activity as well as our digital or any copyright act complaints.
We have a multi-cloud implementation, but most of our use cases that are currently implemented tend to not be specific to monitoring our cloud environments.
How has it helped my organization?
A lot of it comes down to the time and effort savings. For what we are doing with Splunk SOAR, a human would take a lot more time. Some things are very repetitive, and with Splunk SOAR, it might take a little bit of work to get that human work translated to the programming language or functions inside a playbook, but it allows us to take all that workload off that person and be able to do more with that one person.
For some of our actions, there has been about a 300% increase in productivity. For a lot of the use cases that we have implemented inside of Splunk SOAR, there is not as much to resolve. There are mostly actions where if something happens, it should go and do something, so it is automating that human process. It takes most of the work away from the person.
We have been able to benefit from a decreased workload on our limited staff. That same staff has been able to do more things because they are not having to do the work that this tool is doing.
Splunk SOAR has had no bearing on our resiliency.
What is most valuable?
The playbooks are valuable. They are the core component. Being able to implement and build a code process to work through and scale out what we want to do is valuable.
What needs improvement?
I have put a number of ideas on the ideas.splunk.com site for feature requests for the Splunk SOAR product. I posted one of them about three years ago, which finally got implemented in the latest release that just got announced, so the time to implement new features and things like that is a little bit concerning. I tend to post my ideas there so that other people in the community can see the features or ideas. They can then upvote them and make comments on them. I thought that is what the site is for.
For how long have I used the solution?
We have been using Splunk SOAR for about three years.
What do I think about the stability of the solution?
Overall, the stability of the product in terms of day-to-day operations is great. It is 100%, but because of the inter-dynamic and connected nature of SOAR, it relies on other services. When those services have changes or issues, it impacts SOAR, but SOAR, unfortunately, does not always handle them very well. It might look like there is a problem in SOAR or in the playbook or process that happened, but it might be a third party that caused it. Unfortunately, it requires someone to go into SOAR and fix something and do rework because, ultimately, that is the interconnection point where it fails.
What do I think about the scalability of the solution?
We have not designed our SOAR to scale. I am just going to grow it as big as it can until finally, I need to split it. We are not that large, so I do not know whether it will scale well or not.
How are customer service and support?
Overall, it has been great. We have not had any major bugs or incidents that have required anything more than requesting copies of the code for apps to make the additional changes that we need. Overall, the organization has been very good with that. I would rate them a nine out of ten.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We had no other automation or orchestration technology prior to Splunk SOAR.
How was the initial setup?
It was complex. Several of our use cases required modifications to existing SOAR apps, meaning new features had to be coded or added to the SOAR app support we wanted to do. Additional custom bits of code had to be created. At the time, we first implemented a lot of the features that are there in the product now, but they were not there. If we had waited two years to do the initial implementation, we probably would have got a much faster time to value because a lot of the work went in early on to build out features, but then they came out with a whole new version of it. The sad part is that for upgrading to the latest version of Splunk SOAR, we had to migrate from Python 2 to Python 3, so the process by which those playbooks and other things get migrated is difficult and requires a lot of work and rework.
What about the implementation team?
We did have a Splunk professional involved in our initial setup. I believe it was a direct Splunk employee. I do not believe it was a third-party person. They were good.
We have a lot of Splunk knowledge. We have complex use cases. We have a high level of knowledge. We did not want someone who just came out of the training class. They had to send us someone who was going to be valuable to us, and they did.
What was our ROI?
It is hard to quantify whether we have seen a return on investment. The expectation is that we do, but we are so short on staffing that it is difficult to calculate whether it is giving us a full FTE worth of a person. We think we are getting it, but we do not have good numbers to say that we are.
It is also hard to say whether we have seen time to value because there are some use cases that take so long to implement. Because of the way that SOAR is structured and interconnected with so many systems, to get something going and then make sure it continues to work, the time to value starts to become a little bit back and forth. Some of the use cases are great. The services underneath them have not changed. There has not been a lot of transition, but with the other ones, such as an API update, an update is required on the SOAR side, so it is a little harder.
What's my experience with pricing, setup cost, and licensing?
When we first purchased our Splunk SOAR license, it was based on an event-count model. It was based on the number of events. I had strong opinions at the time that automation should not be stifled by the amount of automation you can accomplish, so the previous structure was not as beneficial for us. Later that year, we got told or saw at a conference that they announced user-based pricing.
We are now in a renewal period, so we migrated to a user-based license model, which is more appropriate for us so that we no longer have to worry about stifling our automation based on the quantity. If I have an event that happens 500 times a day, but it is relatively minor, I can still spend the effort to automate it. The previous model meant that we could only automate high-value items in Splunk SOAR, meaning they had a large cost of the human factor to automate them, whereas now, I can transition. I can do many different things with Splunk SOAR that we were intentionally limited on.
Which other solutions did I evaluate?
We had evaluated other options twice. We evaluated before the acquisition by Palo Alto and then during our latest renewal period, we went ahead and reevaluated Palo Alto's competing products just to make sure that we are doing our due diligence about technology and whether this was going to be better or worse for us.
What other advice do I have?
Overall, I would rate Splunk SOAR a six out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Buyer's Guide
Splunk SOAR
August 2025

Learn what your peers think about Splunk SOAR. Get advice and tips from experienced pros sharing their opinions. Updated: August 2025.
867,497 professionals have used our research since 2012.
Security Manager at a financial services firm with 5,001-10,000 employees
The Smooth User Experience Currently Offered Can Further Be Enhanced By Offering Customization Options To Its Users
Pros and Cons
- "Before its use, analyzing each email would take at least 15 to 20 minutes, with some complex cases taking up to 30 minutes...With the automation provided by Splunk Phantom, we could significantly reduce the amount of time and human effort required to complete this task."
- "The technical support for the Splunk SIEM solution was average."
What is our primary use case?
As part of the cybersecurity incident response team, we were responsible for handling phishing emails related to business-as-usual operations. It was a manual process that would include five to six checks to determine the category of the email, its legitimacy, if it was malicious, and if it was an impersonation or a phishing email. We also worked on a use case for our infrastructure's proxy solutions. End users would request that certain websites be unblocked, as they had been blocked by the proxy's default policy or categorically blocked by the proxy. For this, we evaluated publicly available information about the website and the justification provided by the users, to determine whether the website should be whitelisted or made accessible.
Then, we implemented the automation process to simplify such tedious processes. In addition, we had a manual process in place for our threat hunting and threat intelligence platform, where we monitored leaked data on the dark web. This was documented as a use case. Our account management team also conducted weekly checks on the status of accounts. The process also made the team check if they were logged in on their accounts and if the account was disabled, which were manual processes that were later integrated into Splunk SOAR.
How has it helped my organization?
As a security analyst in the SOC center, I have seen the impact of implementing Splunk SOAR on our phishing email analysis process. Before its use, analyzing each email would take at least 15 to 20 minutes, with some complex cases taking up to 30 minutes. Of all the emails received, 30% were complex, 50% were average, and 20% were straightforward and would only take five to ten minutes to analyze. With the automation provided by Splunk SOAR, we can significantly reduce the amount of time and human effort required to complete this task. Instead of two analysts taking two to three hours to analyze 20 to 30 emails, one analyst can now complete the same task within one to two hours.
What is most valuable?
The most advantageous feature of Splunk SOAR is its ease of writing search queries, which can be attributed to Splunk's powerful analytics tool running in the background, offering a smooth user experience.
What needs improvement?
Improvements are needed in automation options as customization is limited, which may make complex use cases challenging despite the solution being able to meet basic requirements.
Currently, the tool only allows categorization into two categories, malicious and non-malicious, which has been identified as a limitation by security analysts in various group brainstorming sessions. The ability to create custom categories for emails can benefit security analysts.
For how long have I used the solution?
I was associated with this solution for almost three years. In my previous organization, Meredith, we initially deployed Splunk. Before that, we were using the ArcSight SIEM solution. Later on, after moving on to the Splunk environment, Meredith thought of opting for an automation process. So, we onboarded Splunk SOAR, but the user Splunk was managed by a third-party company.
What do I think about the stability of the solution?
Stability-wise, it is good. It doesn't have any downtime issues. If you consider Splunk SOAR as an independent solution to be deployed at work, then that would not be easy. The challenge is that Splunk SOAR cannot work without the Splunk SIEM solution. But if you have Splunk as your base, then Splunk Phantom works well. So the issues with Splunk Phantom are very minimal. I would rate it an eight on a scale of one to 10, where one is considered the worst and 10 is the best.
What do I think about the scalability of the solution?
In terms of scalability, I believe Splunk SOAR is decent. I haven't encountered any stability issues, even with a large infrastructure of over 10,000 end-user devices and high log inflows. I would rate its scalability as an eight or nine out of ten, where one is the worst and ten is the best. It works well in both large and small work environments.
How are customer service and support?
The technical support for the Splunk SIEM solution was average. Splunk is still working on improving its customer support, as they do not directly support SOAR, which is a separate entity. Other vendors, on the other hand, support various environments. I believe that Splunk can improve its customer support services.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I previously used Demisto, a security automation tool, in one of my previous organizations, Dell Technologies. The ease of writing custom queries and making granular modifications were the key reasons why we used it. In my next organization, I used Splunk SOAR because we already had Splunk in our environment. Currently, I am working in a bank that does not have a Splunk environment, so I am using a different automation tool.
How was the initial setup?
The deployment warranted collecting information on the external and internal parameters of our network system. A network engineer along with a team of four to five people from Hurricane Labs was involved in the deployment of the Splunk SIEM solution for the company. The deployment of the Splunk SIEM solution took approximately six to nine months. During the first three months, the team familiarized themselves with the environment and started the transition from an off-site setup. Over the next six to nine months, the team worked to mature the solution and address any issues with logs not being collected properly and displayed on the Splunk screen.
What about the implementation team?
Splunk SIEM was deployed by a third-party vendor. The vendor was responsible for the end-to-end deployment and was the main point of contact for the project. However, I am not familiar with the specific details of the deployment and therefore cannot accurately explain how the deployment of the solution was done.
What's my experience with pricing, setup cost, and licensing?
In terms of pricing, I would rate it a six or seven out of 10, where one is the highest and 10 is the lowest. It’s on the expensive side, and I'm not sure if a lot of the small-sized organizations will be able to afford it. A medium enterprise environment will be able to afford it. We had to pay for the cost of the licenses for the services we received.
What other advice do I have?
If you use Splunk as your SIEM solution, you can consider Splunk SOAR as your automation tool. However, automation tools such as AutomationEdge or Demisto may provide better value if you have other SIEM solutions.
I rate this solution a seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cyber Security Network Security Engineer at Cirrus Logic
We can automate and orchestrate our detections and quickly respond to them
Pros and Cons
- "In Splunk SOAR, I find the playbooks valuable. We get to create multiple playbooks, and within each playbook, there is a different type of investigation attached to it, which helps out an analyst or new analysts coming on board."
- "They can improve on what they are currently doing. They can provide more playbooks or at least template playbooks that are in their repository."
What is our primary use case?
One of our use cases is to automate any kind of process after investigation. When going into an investigation, we want to make sure that we have the right tools to use. Instead of having multiple tools, we can bring them all into one platform, such as Splunk SOAR, to provide us with that information.
How has it helped my organization?
Splunk SOAR has not benefited us yet because we are currently in the development process, but I believe that in the future, it will help us streamline our process and our RTR to respond and detect. It is going to help us in the future, but it has not brought us any benefit yet because we are currently building it up.
It is very important that Splunk SOAR has end-to-end visibility into our cloud-native environment. If there is no visibility, then there is no ability for us to detect on time and respond in time. It knocks out a lot of that time discrepancy.
Splunk SOAR has not yet helped reduce our mean time to resolve. It will be helping us in the future due to its playbooks and its compatibility with Mission Control and other Splunk integrations.
It has helped us with our business continuity and our ability to respond to different threats that might be out there.
Splunk SOAR has not saved us time in alert triage. We are still in the early stages of getting Splunk SOAR onboarded and developed, but I believe that it will significantly reduce our time to triage. Similarly, Splunk SOAR has not saved us time in threat response, but it will do so in the future.
Splunk's unified platform has helped consolidate networking, security, and IT observability tools. Splunk's unified platform has been great for every organization. Every analyst has been able to use one unified area.
What is most valuable?
In Splunk SOAR, I find the playbooks valuable. We get to create multiple playbooks, and within each playbook, there is a different type of investigation attached to it, which helps out an analyst or new analysts coming on board. When they get an incident, they do not need to find out where to start. All they have to do is to go to a particular playbook. It will give them end-to-end specifics on what to do and how to process it.
What needs improvement?
They can improve what they are currently doing. They can provide more playbooks or at least template playbooks that are in their repository. That is one area.
Another area would probably be related to onboarding different playbooks or different tool sets that new engineers have. Eventually, they will get there to ingest more tools and datasets into their SOAR.
In terms of additional features, it is hard to say. There can be more integration with other data ingestion platforms out there, not just Splunk.
For how long have I used the solution?
We have been using it for about one month.
What do I think about the stability of the solution?
We have not played with it too much yet. Once we are able to play with it more and get more details from it, we can respond to that.
What do I think about the scalability of the solution?
It can be very scalable just because of the number of different apps that the community pushes to it. Right now, it is not there yet, but I believe in the near future, it is going to be the best growing platform out there.
How are customer service and support?
Splunk's customer service is great and impeccable. I believe that they have been a very valuable resource to our organization and our team.
I would rate their support an eight out of ten just because I believe that no one really gets a ten. It is an eight just because the answers that they cannot answer for us, they are able to get from the community. The community really helps out, but they are always there to help, and they are always responsive.
How was the initial setup?
We are using Splunk Cloud, the public cloud, but we also have on-prem. We use AWS.
As the initial start of the Splunk SOAR, we are getting started with developing the playbooks and getting the configurations set up with our users and toolsets. It has been pretty easy so far. I have not had any hiccups, but we will see where that takes us as we finish our development.
What about the implementation team?
We did not use any integrator or reseller.
What was our ROI?
We have just started getting our metrics developed, ingesting into Splunk, and showing that to the executives.
What other advice do I have?
I would rate Splunk SOAR a nine out of ten just because it does hit all points for the use cases as an analyst, engineer, or developer. It allows us to automate and orchestrate all of our detections and respond to them very quickly.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Staff Security Engineer at a engineering company with 10,001+ employees
Reduces our mean time to resolution but can be unreliable
Pros and Cons
- "The most valuable feature is the API connector, depending on how it's formatted and who made the actual app offering for it. The REST API is my favorite component. It's very easy to use. The filters are also really valuable. Those are the two primary features but I enjoy using the rest of it."
- "SOAR is probably the most unreliable product Splunk has and that's because most of it is content driven from what you put into it. There are certain parts of it that have a little bit of difficulty at volume too. It's always changing. There is new stuff coming out for it that's going to make it a little bit better, but it does have some drawbacks."
What is our primary use case?
My primary use case is for SOC automation but it's used for a lot more than that. Some of the use cases are more or less appropriate for it. It's capable of doing a lot of things.
We use the SOAR platform to ingest alerts and escalations that we get. They do the actual enrichment processing and triaging but we don't use it for detection. We potentially could, but it's not what the product is meant for.
How has it helped my organization?
The visual playbook editor updates that they released have been absolutely instrumental because the old editor was impossible to look at for most of the time. It made my eyes bleed. I still have to look at it from time to time.
Splunk does provide substantial value.
It definitely does reduce our mean time to resolution through the enrichment details that it provides. Inputting your facts and details of the things you do not want to see with the events coming into it and easily filtering down off of that is one of the main value drivers outside of phish removal.
What is most valuable?
The most valuable feature is the API connector, depending on how it's formatted and who made the actual app offering for it. The REST API is my favorite component. It's very easy to use. The filters are also really valuable. Those are the two primary features but I enjoy using the rest of it.
What needs improvement?
SOAR is probably the most unreliable product Splunk has and that's because most of it is content driven from what you put into it. There are certain parts of it that have a little bit of difficulty at volume too. It's always changing. There is new stuff coming out for it that's going to make it a little bit better, but it does have some drawbacks.
It's specifically geared for SOC and not broader automation. The artifact filtering that's forced on everything inside the platform is pretty awful. It's for a subset of active playbooks which, out of the two hundred that we own, I think three or four of them are active, but we have to play with that setting for each one of them.
Every block should also have that option specifically because if you're not doing the artifact filtering on the front end, it's not good.
We've had lots of processes that have been victim to filtering not working appropriately at scale. It's hard to actually track down and trace because we can't reproduce the issues that we see in our testing environment or in production. That was two minor versions ago. It might have changed, it might not have, but we don't have a lot of trust in that feature.
UI elements like interacting with our analysts are near impossible. Finding stuff on the actual dashboard is really impossible most of the time. One example is that the timeline takes up three-quarters of the screen, but not a single person uses it because you have to individually set the container, the artifacts, and the actions to a specific attribute field that's really difficult to correlate to the actual events you put into it. The artifacts are really weird too because they're not traditional forensic artifacts. You shouldn't be able to change the value of an actual artifact. It was in that capacity but we also use it for that purpose in the platform.
For how long have I used the solution?
My company was one of Splunk's first five customers. I have been using it for the last three years.
What do I think about the stability of the solution?
I've only crashed SOAR a few times and it was my fault. If you have a production environment that's been running for a month or two and you have a few thousand events in it, if you mess up your query when you're trying to ask it a question and you do page size zero, it will just give you things on it, and it will crash it. That's a fun thing, but you shouldn't do that in general. That was a mistake on my part. Generally, it is very stable and available as most of the issues are usually the fault of the vendors that it's talking to, but that's with any platform.
What do I think about the scalability of the solution?
Scalability is interesting. Some of the assets do choke each other out. There is a cyclical lock thing that we had to fix on our inside. We have a CrowdStrike app, and we give it a file and ask it to do something and it goes great. It tells us that the default wait time is fifteen minutes, and there's only one of me. But there are five processes competing for that, and you get a giant backlog. We had to make our own custom app to get it later.
We have about fifty users on SOAR and a few hundred playbooks. Our environment is fairly large in terms of standard customers.
How was the initial setup?
I didn't do the initial integration, it was many years ago but we do deployments with the platforms team because we have the experience.
We have it down to a pretty good science right now because platform science does a really good job of automating the steps that go into setting up the server and whatnot. One good thing about the SOAR connectors that we have in the apps is the ability to save states and for apps just to self-heal. That has been really helpful because things go down from time to time and we don't have to worry about it because there's a second or third process that's going to pick it up.
What's my experience with pricing, setup cost, and licensing?
I have heard they are changing pricing, not possibly for the better. In comparison to the other vendors we looked at, they're all in the same ballpark of what they should be billing on. SOAR makes the most sense out of all of them, in terms of the billing factors.
Which other solutions did I evaluate?
We are looking at other platforms currently to compare areas. Splunk's editors are exceptionally better to look at. Visually, it's easier to find things and configure them.
There is more capability out-of-the-box for doing typical data transformation that you don't have to write too much code for, which is really nice. The code blocks have annotations in them. So when you actually open and look at what you worked on, four or five months later, you have your notes right there in the same place where it runs, which is really handy.
It's also just built for broader automation and it's all more HTTP, actions-based. Instead of having to build a connector, then put that on GitHub and install that in your platform, you can define an endpoint with credentials and you can do the same thing with SOAR. It's encouraged to do it with the actions and assets, which can be beneficial depending on what the product is.
If we do continue using SOAR, I think we're going to default to using more HTTP actions and stop using too many assets because it's a bit of a burden to create one, especially if out-of-the-box the actual configuration doesn't do what we need it to.
One example of this that we have is the request tracker app that we use for all of our tickets. When you ask it for the ticket information, it will return the metadata on it, nothing inside the actual ticket. That's a fork we have to create. It didn't actually do the basic product functionality that the vendor should be providing.
We also find that the vendors don't always keep the SOAR connectors updated. Sometimes they'll update the associated API, and then their connector will stop working because they're on different versions, and then we have to force our own fix on that. They usually make a SOAR connector just to say that they have one, but they won't put too much effort or thought into it.
What other advice do I have?
I'd probably rate the functionality an eight or a nine out of ten. I would give the UI a four out of ten. I would rate general Splunk SOAR a seven out of ten.
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
SOAR PS Consultant at a tech vendor with 11-50 employees
Offers great visibility, and we can customize the playbook use cases and integrate it with other solutions
Pros and Cons
- "The ability to automate Splunk SOAR and customize the playbook use cases is the most valuable feature and is very exciting for me."
- "The UI can be more customizable for the clients."
What is our primary use case?
Splunk SOAR is primarily used for automating security use cases for clients who want to reduce human intervention and personnel involvement. It facilitates end-to-end security workflows and helps to decrease the time spent on manual investigations.
Splunk SOAR can be deployed both in the cloud and on-premises. The cloud deployment comes pre-installed, so if we want to connect to any on-premises applications, we may need an additional server.
How has it helped my organization?
Building playbooks using Splunk SOAR is an easy process.
Splunk SOAR's playbook viewer is excellent. The viewer underwent an update a couple of years ago, making it much more streamlined and easier to use.
Splunk SOAR offers end-to-end visibility throughout our environment. The solution provides us with information about the actions being executed, the flow of the playbooks, where failures occur, and everything in between. It also collects logs of the actions in the backend.
Splunk SOAR simplifies the visualization and troubleshooting of our cloud-native environment. We only need to set up an additional server to connect to our cloud-based applications. Once that is done, the process becomes very straightforward.
Splunk SOAR has the ability to integrate with other system applications in our environment. Currently, SOAR is integrated with nearly 300 applications through APIs.
Splunk SOAR, as a whole, has helped numerous clients automate processes, reduce investigation time, and free up personnel to focus on other tasks. It is a highly effective tool for security automation.
Using Splunk SOAR in an investigation is extremely easy.
Splunk SOAR has significantly reduced our mean time to detect in a relatively short period.
Splunk SOAR has helped reduce our mean time to resolve.
Splunk SOAR has helped free up our IT staff's time to work on other projects.
Splunk SOAR has saved our organization a good amount of time overall.
With Splunk SOAR, we have been able to consolidate tools in our environment, such as Radius and CrowdStrike.
What is most valuable?
The ability to automate Splunk SOAR and customize the playbook use cases is the most valuable feature and is very exciting for me.
What needs improvement?
The UI can be more customizable for the clients.
For how long have I used the solution?
I have been using Splunk SOAR for almost five years.
What do I think about the stability of the solution?
Splunk SOAR is highly stable. The benefits that Resilience offers to SIEM are crucial at the moment, given the vast amount of data and other factors. It aids us in efficiently handling that data, and, with these additional tools, it helps to manage the data with minimal human intervention. As a result, we can reduce the mean time to resolve, the mean time to detect, and save money as well.
What do I think about the scalability of the solution?
Splunk SOAR's scalability is great. I have never had a client complain about the solution's ability to scale.
How are customer service and support?
The technical support team prioritizes all the tickets based on their criticality. They genuinely provide end-to-end support and contact us via email before scheduling calls. If it's a cloud instance, they simply attempt to push changes over the stack, making them extremely helpful.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial deployment is straightforward. It can be completed by a single person, who handles the installation and setup.
What was our ROI?
I've heard from clients that they are receiving more value from the fit than they initially expected. They are also pleased with how much Splunk SOAR has been assisting them with various tasks. Additionally, a couple of companies have reduced the number of personnel in their security team due to the implementation of SOAR.
For completely new users, it may take some time to perceive the benefits. However, for those who are already familiar with the solution and hold certifications, they can quickly recognize the advantages.
What's my experience with pricing, setup cost, and licensing?
The licensing cost is reasonable.
What other advice do I have?
I give Splunk SOAR a ten out of ten.
I started looking into security automation at that time. Initially, it was Phantom, which was quite popular five years ago. Splunk bought it and changed it to SOAR, so it became pretty easy to use. It's a relatively new concept, which is why we wanted to see how it works.
Once Splunk SOAR is deployed, it takes a couple of weeks to train the SOC team of our clients to use the playbooks.
Splunk SOAR requires maintenance if we plan to scale up the database, increase the number of users involved, and expand our development efforts. Additionally, the amount of data processed and other factors should be considered. For a premium user who actively uses it daily and is heavily involved in development, the solution may need regular maintenance. However, apart from such cases, I believe it doesn't require significant maintenance.
For those considering using Splunk SOAR, there is ample documentation available on the Splunk website. Additionally, they can download a free trial version, which can be installed on their server for experimentation.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Principal Security Engineer at a tech company with 51-200 employees
Integrates well, and uses custom Python code, but the UI has room for improvement
Pros and Cons
- "The best feature is the integration and the custom Python code that we can write. Splunk SOAR provides us with both of these capabilities, allowing us to integrate different security solutions with Splunk SOAR and take remediation actions directly on those security tools."
- "There is a lot of room for improvement with the UI."
What is our primary use case?
We utilize Splunk SOAR to automate our incident response process. I am the sole engineer in my current organization, responsible for working on Splunk to automate the incident response process followed by our team. This involves investigating various incident response procedures established within our security operations center.
The main problem we want to solve is the time it takes to invoice tickets and remediate incidents. Therefore, we aim to reduce that time. If our analysts manually handle and investigate each incident, it will take longer compared to using this solution, which automates most of the processes. Whenever an incident occurs, the playbook and Splunk automatically initiate the necessary actions to gather the required data, enabling the analyst to make informed decisions and address the incident promptly.
How has it helped my organization?
Creating a playbook using the Solutions Playbook Editor, is relatively easy if we possess some knowledge of Python code and the ability to write various types of flow diagrams.
The visibility of the solution's playbook viewer is excellent. There is adequate documentation that assists individuals in learning how to utilize the playbook to construct solutions.
Splunk SOAR's ability to integrate with other systems and applications in our environment is straightforward. It has numerous capabilities to integrate with various security tools, as it supports open APIs. If the solution supports the API, we only need to write the corresponding APIs in the pipeline code and utilize those API tools to construct the integration, enabling us to take action accordingly.
The most significant improvement I have observed is time-saving in the Security Operations Center incidents. We receive approximately a thousand to eleven hundred incidents per day, and if we were to manually investigate these incidents, we would require a team of ten to twelve people. However, by utilizing Splunk SOAR, we are able to handle the investigation of these thousand alerts with just six or seven people.
Splunk SOAR is not difficult to use in an investigation; it depends on the use case. I haven't encountered any issues with the implementation of the case solution, and there don't seem to be any limitations in that regard.
Splunk SOAR assists us in reducing the volume of security events. Whenever an incident occurs, the playbook initiates actions simultaneously with its generation in our security operations center. These incidents are automatically handled by the playbook, while incidents requiring manual intervention are assigned to our analysts. All other incidents are handled automatically through Splunk SOAR playbooks. Splunk SOAR has reduced the security event volume by forty-five percent.
Our mean time to detect has been drastically reduced. Before Splunk SOAR our security operation center, analysts worked on a queue. Whenever an alert was received, it was placed in a queue, and the incidents were investigated one by one. However, with the implementation of Splunk SOAR, we now have instant knowledge and analysts can start investigating more effectively. The required data is already gathered by the playbook itself, aiding analysts in making more accurate decisions in less time. This has resulted in a reduction of our mean time to detection by at least eighty percent. Previously, without Splunk SOAR, we experienced significant mean time to detect because analysts had to focus on one incident at a time, leaving other incidents waiting. Now, there is no need for incidents to wait for an analyst to take over. The playbook automatically gathers the data, allowing the analyst to have all the necessary information as soon as they start, enabling them to make prompt decisions.
Splunk SOAR has helped reduce our mean time to resolve. The resolution of incidents sometimes depends on different teams that need to investigate and send notifications for action. However, the notification of those incidents has been significantly reduced, and we can confidently say that we have achieved a fifty percent reduction in our mean time to resolve.
Fifty percent of our IT staff's time is saved through using Splunk SOAR, and we can utilize that time to work on the other project we have.
Splunk SOAR has saved our organization forty-five percent of our time.
What is most valuable?
The best feature is the integration and the custom Python code that we can write. Splunk SOAR provides us with both of these capabilities, allowing us to integrate different security solutions with Splunk SOAR and take remediation actions directly on those security tools. Additionally, we can write our own Python code, which can be used and embedded in a Splunk SOAR playbook, enabling us to utilize that code directly within the solution itself.
What needs improvement?
There is a lot of room for improvement with the UI.
I would like to have more integrations with cloud technologies and functionalities such as AI within Splunk SOAR.
For how long have I used the solution?
I have been using Splunk SOAR for five years.
What do I think about the stability of the solution?
Splunk SOAR is stable.
What do I think about the scalability of the solution?
Splunk SOAR is a hundred percent scalable.
How was the initial setup?
The initial setup was straightforward and took approximately three hours. Four individuals from our network team and one individual from the Splunk personal service team were required for the deployment as we needed to configure the server.
What was our ROI?
We have observed approximately a forty-five percent return on investment with Splunk SOAR.
What's my experience with pricing, setup cost, and licensing?
Splunk SOAR is more expensive compared to other options for SOAR.
Which other solutions did I evaluate?
We assessed various open-source options prior to choosing Splunk SOAR, such as Securonix SOAR and Shuffle.
What other advice do I have?
I would rate Splunk SOAR a seven out of ten. The solution necessitates expertise in Python coding, which is challenging to find in individuals. Additionally, Splunk SOAR lacks sufficient AI integration.
Before using Splunk SOAR, it took us approximately six hours to block certain IPs on our firewalls. However, after implementing Splunk SOAR, we were able to accomplish the same task within just five minutes.
We deployed Splunk SOAR on a single server.
We have around nine people that use Splunk SOAR in our organization.
Maintenance is sometimes required based on the incident volume we receive. If we experience a higher volume, we need to maintain the RAM and other components in our server. Therefore, it is important for us to exercise caution in this regard.
I highly recommend Splunk SOAR for individuals seeking to automate the incident response process in their security operation centers.
Which deployment model are you using for this solution?
Private Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Director of Security Engineering and Operations at a legal firm with 1,001-5,000 employees
We can enrich alerts by pulling in more information about each user
Pros and Cons
- "I like the way Splunk interacts with various systems via the API. The ability to integrate Splunk with our ticketing system has been an immense help because we can maintain our workflow while blending Splunk with our support desk and other ways that we track work."
- "We have playbooks written to extract these events and put them into the workflow since it wasn't structured as expected. It was a miss for us. We couldn't figure out why it broke or what actually happened there. It was something in this feed with legitimate and security events, so we tried to understand the names and what we would call them."
What is our primary use case?
My company has two use cases for Splunk SOAR. We use it to enrich alarms by pulling in outside sources of information. Splunk can also automate actions while ensuring they are structured and reproducible.
How has it helped my organization?
With SOAR, you build a workflow, so you think ahead about all the steps that can be automated for a specific type of investigation. You need to do a decent amount of work in advance so that it does exactly what you tell it to. We need to gather a lot of essential details for our incidents. For example, if we're investigating a suspicious email, we need to gather a lot of information about who the user is.
We can enrich alerts by pulling in more information about each user. We can see their locations, roles, etc. Having that knowledge may influence our decisions or analysis. We can also submit files to be reviewed and get the results. It's akin to a doctor ordering diagnostic testing. The doctor can use the results to make decisions.
Splunk has benefited us from that perspective, but it takes some effort upfront to think about the flow and build it out. It reduces some of our manual research by offering additional context for events. I can pull the files, automatically submit them to a sandbox, have it run, and get the results from the sandbox. I don't have to notify one of my engineers and tell them to get this file I submitted to the sandbox.
It also improves ticketing because we can notify users when suspicious emails are quarantined and ensure a ticket is associated with it. We constantly track the work. We can close the ticket when the issue is resolved and release the email if it's legitimate. Splunk helps us document the entire process.
Splunk reduced our detection time a little by helping us quickly differentiate between an actual event and a false alarm. I don't view SOAR as a detection mechanism in itself. The events still occur. It helps enrich alerts so we can distinguish between actual events and noise.
For every event, it saves the responding staffer about 15 to 20 minutes because they need to do less data entry. They need to do the research and follow our procedure for a ticket. It takes time to assign a ticket and make entries. Finally, they need to perform an assessment and close the ticket.
Splunk SOAR frees up our staff to work on other things to a degree. There is always more than enough work, and somehow the volume still feels like it's always crazy. Still, it allows people to do some other tasks. It will enable my engineers to focus on more thought-provoking problems instead of menial tasks. I want them to spend time learning the underlying mechanism in case SOAR goes down.
If Splunk is unavailable for whatever reason, I always want to have someone who understands the mechanics of what it does. At the same time, it improves retention if you can eliminate some mind-numbing work and allow them to focus on challenging items. Your employees will be happier in general. They can do some more unusual, engaging work that enables them to learn and grow.
We couldn't consolidate any tools by using Splunk SOAR because everything was manual before we implemented it. We didn't have an automation tool.
What is most valuable?
I like the way Splunk interacts with various systems via the API. The ability to integrate Splunk with our ticketing system has been an immense help because we can maintain our workflow while blending Splunk with our support desk and other ways that we track work.
What needs improvement?
Sometimes we flag events based on conditions in the app or service that is sending us the feed, and we focused on a couple. We get some normal events, but we also see some security issues occasionally in the same feed. I don't know if they injected this or if this was the first time we saw it. There was another type that was security-related, but we didn't know about it before.
We have playbooks written to extract these events and put them into the workflow since it wasn't structured as expected. It was a miss for us. We couldn't figure out why it broke or what actually happened there. It was something in this feed with legitimate and security events, so we tried to understand the names and what we would call them.
It was a unique time. That goes back to an inability to detect these kinds of events. API documentation is typically a weak spot. Many vendors focus on the product first and save the API information for the very last.
Splunk's integration isn't bad. However, it comes down to which APIs are available. For example, I would like to automate file extraction, and a particular vendor seems to have an API that should do that, but I can't. You're at the mercy of the vendors. While APIs probably leverage more than ever, it's still like pulling teeth to get some vendors to support it correctly. Nevertheless, it's highly beneficial when it works.
Depending on the playbook, it can sometimes get a little crazy and overwhelming, but I think it's generally okay.
For how long have I used the solution?
I have used Splunk SOAR for about a year.
What do I think about the stability of the solution?
Splunk is relatively stable. We had an issue early on. It was a bug. Splunk sorted it out. Our uptime has been consistent.
What do I think about the scalability of the solution?
We haven't had any issues with scalability.
What was our ROI?
It took a little time before we realized Splunk SOAR's value. I have one engineer who dedicated himself to building many of our playbooks and a lot of the automation that we have. Another engineer is only starting out.
You need to have the right mindset so that you don't get scope creep. It's critical to manage what you want to do because you're dealing with a blank slate. There are costs like computation time, but it's relatively straightforward. You need to be thoughtful and take your time to do everything in small chunks. It took us a while to get going with SOAR because we have to integrate our devices. It isn't a turnkey solution.
What's my experience with pricing, setup cost, and licensing?
I don't remember Splunk SOAR's price off the top of my head. Still, I believe it was a solid value because of the time saved, consistent results that are reproducible, integration with multiple systems, etc. The benefits justify the cost.
Which other solutions did I evaluate?
We didn't seriously consider other options. We looked at what was happening in our environment, and our SIEM is a hub for our security operations. Palo Alto is another vendor we use, so we briefly looked at their SOAR solution. However, it wasn't in the right position to work with the Splunk piece. Splunk gathers all the log material. We can act on that and interface with all of our key security devices because they have rich associations with multiple security vendors. It made more sense for us to focus on that.
What other advice do I have?
I rate Splunk SOAR a nine out of ten. If you're thinking about implementing the solution, you should consider which events will save you the most time. Think about the procedures you're following today and where you can benefit the most from automation.
The second piece is thinking about the other solutions involved and the capabilities they offer. Do you have the API access to automate what you want? Your success depends on those vendors and sorting that stuff out. You must also approach your SOAR playbooks and workflows in a modular way. Don't try to handle everything upfront.
It's best to automate piece by piece. You don't need to tackle an entire ecosystem right off the bat. Take what you can and constantly improve it as you grow more comfortable. Splunk SOAR's strength comes from its interactions with other systems. Ensure that you're fully leveraging that.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner

Buyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros
sharing their opinions.
Updated: August 2025
Product Categories
Security Orchestration Automation and Response (SOAR)Popular Comparisons
Microsoft Sentinel
IBM Security QRadar
Elastic Security
AWS Security Hub
Palo Alto Networks Cortex XSOAR
Exabeam
Tines
ThreatConnect Threat Intelligence Platform (TIP)
ServiceNow Security Operations
Sumo Logic Security
Fortinet FortiSOAR
Logpoint
Google Security Operations
Swimlane
Buyer's Guide
Download our free Splunk SOAR Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Which Do You Recommend, Phantom or Demisto?
- What are the Top 5 cybersecurity trends in 2022?
- What is the difference between SIEM and SOAR platforms?
- What is an incident response playbook and how is it used in SOAR?
- What are the latest trends in Security Operations Center (SOC)?
- What tools and solutions do you use for automated incident response in an enterprise in 2022?
- How to evaluate SIEM detection rules?
- Why a Security Operations Center (SOC) is important?
- What types of Security Operations Center (SOC) deployment models do exist?
- Why is Security Orchestration Automation and Response (SOAR) important for companies?