Splunk SOAR Reviews

My company operates as an MSSP that takes care of the detection and response for our customers. Splunk SOAR is where our company does the alert processing, and it is also where our SOC does its work. I work on developing the playbooks and apps that we use.

The product has improved the working of our company since it has removed a lot of the tedious work that we had to do previously. Even some of the easy stuff gets automated. Our company's analysts can really focus their hours on work that requires critical thinking, creative skills, and other similar areas.

The most valuable feature of the solution is the playbook automation just because it allows us to reduce the manual actions that SOC has to handle. When it comes to some of the workbook functionality where the analyst has to take some manual action, we can guide that process through templates and other things.

I think some of the case management functionality could be improved. Improving the integration ecosystem can raise the quality of the bottom tier of the integrations so that they can work better out of the box. In general, our company is pretty happy with the tool.

I have been using Splunk SOAR for four years.

The tool's stability is fairly good.

When it comes to the scalability, I think we have seen some issues there, such as running into some hardware bottlenecks sometimes, but I am detached from that part of the deployment, so I can't go into details on the things I have seen, but I know there are some pain points for our company. As we scale up the tool in our company, we are not really sure how to scale up in a better manner.

The customer service and technical support have been great. We had some professional support come out when we set it up, and they were super helpful in helping us with the use cases and getting us stood up quickly. When our company reached out to the support team with some technical issues, I didn't hear any complaints about the responses from their end, so I think it was good.

I have not used any other solutions in the past.

I have done the deployment personally in my lab but not in a production environment.

My company evaluated Siemplify, which is known as Chronicle SOAR. My company has also evaluated Demisto and Cortex XSOAR. Our company is heavily invested in Splunk's ecosystem, and I think that was the biggest draw, especially since we use Splunk Enterprise Security and similar tools, so adding another Splunk tool made sense for our company. I think the product felt mature, and the plug-in ecosystem was where we needed it to be, along with the ability for the community to submit and create their own integrations and apps, which was interesting for us.

When it comes to Splunk SOAR's ability to provide end-to-end visibility into our company's cloud-native environment, I would say that we are not using the cloud portions of it. I don't know if that's super relevant to what we are doing in our organization.

I am 100 percent sure that Splunk SOAR helped reduce your mean time to resolve, but I don't have any metrics on hand but I know it has dramatically decreased.

The tool has helped with the business resilience part. I think having it as a platform has been a solid portion of the product that we offer to people.

Spunk SOAR has definitely saved my time in alert triage. When some of the tedious enrichment and lookup stuff happens, the analyst doesn't have to deal with such areas, and they can just jump in and see relevant data all in one pane of glass, which has been super helpful for speeding things up.

The unified platform helps consolidate networking, security, and IT observability tools. The consolidation of tools impacts our organization as it just helps focus the SOC analyst on a single unified place to find information. It helps keep things streamlined and regular so they know where to look for certain stuff they want. It really helps people with training. It is a really easy tool to onboard people into because everything is right there in the product itself.

The product is really great. I would love to see more SOAR innovation going into the tool, especially the on-premises version since it is what we use in our company. I feel the tool needs to encourage continuous improvements, but as a product itself, my company is really happy with the solution.

I rate the tool an eight out of ten.

I'm using it mainly for SOC automation and reporting. It's for incident and threat modeling, incident reporting, and triage.

I come from a cybersecurity background and I used to work on the tickets for the security alerts we received from various sources, including Splunk and other SIEM tools. The major challenge was that we were occupied with a lot of noise and activities like validation of IP reports, DNS checks, and traffic monitoring. These were redundant activities that every analyst had to do. We wanted to stop these kinds of activities. 

Splunk SOAR has multiple integrations with various tools, such as VirusTotal. Once we purchased those tools from the respective owners and automated them, the kinds of redundant activities we were having to do were almost immediately stopped.

Also, the ingestion of multiple log sources together helped us eliminate false positives. Using the SOAR platform, our monthly alert count was reduced from 1,100 to 200 or 250. That was the best impact we have seen from implementing SOAR in our environment.

It has reduced our mean time to detect and mean time to respond, from 20 to 30 minutes to just 5 to 10 minutes. In cybersecurity, every moment can be a ticking time bomb for us. We need to get to a solution immediately, whenever any incident is triggered in our environment. SOAR has helped us a lot.

Using this platform has resulted in a better work-life balance for my team.

One of the features I like most is playbook creation, and custom functions are another. 

When you design a playbook, you can integrate multiple log sources and define rules. That used to be done by the analysts by going to the respective tools and doing tasks manually. Now, with playbook design, writing down those rules is a one-time activity that a SOAR admin has to do. After that, the platform automatically compiles all these activities and, based on the results, the analyst only has to indicate whether the result is a true or false positive. That reduces the time and effort involved. Our KPIs have greatly improved. An incident that used to take 15 to 20 minutes, was reduced to five minutes. This helped us speed up our response to any alert, whether it was a true positive or false positive.

Another of the best parts of the SOAR platform is its ability to integrate with other systems and applications. It provides API integrations and, through them, I can limit the rights for the tool, which is good. If I want to integrate any of the applications with CrowdStrike, but only for incident-review policies or just to review the work automation, I can grant rights only for those purposes. That is one of the best features available in SOAR. It is very easy to implement and very user-friendly.

The visibility of the solution’s playbook viewer depends on the right you assign to the analyst. SOAR has the flexibility to distinguish between the roles of analyst and owner. If the analyst's role is to just work on a ticket, they cannot view the playbook design platform. That is limited to the owner. That can be both a good and bad thing.

A major problem I have faced in SOAR's rights distribution is roles and responsibilities. Suppose I am initially granted user rights or analyst rights, but later on, I also get admin rights. SOAR is unable to amend the limitations of my role. I raised a support ticket with Splunk about this. They said it's a bug in their 5.3.5 version. To fix this, I had to reinstall the entire platform from scratch, just to amend the rights and responsibilities of one role. This bug was not fixed.

Also, the latest GUI is terrible. The previous one was better.

Another point is that while using Splunk SOAR in an investigation is not difficult, there are some complex parameters. We have SOAR case management, but the licensing is going to put a big hole in your pocket. Also, there is an issue with investigation node addition. When you are doing node additions you cannot grant the entire environment to have SOAR visibility into the incident. So when you integrate it with an ITSM tool, like ServiceNow or Jira for ticketing purposes, there is a challenge. When you do nodes for investigation on a regular basis, sometimes it does not update our ServiceNow platform, which is terrible. It is a redundant activity for an analyst to update that in the case management as well as in the ITSM tool. Although SOAR provides integration, the functionality of investigation and nodes is terrible when it comes to integration.

An additional area for improvement is custom function creation. It's terrible. A newbie cannot create custom functions right away. They would require a solid understanding first.

Also, the reporting is really awful. If I want to do a report for a customized time period, such as the last three days or the last four days, or from the 10th to the 12th of June, that is not available in SOAR at all. That kind of feature is available in Cortex XSOAR. Reporting is a real challenge.

I have been using Splunk SOAR for four years.

It's a stable environment. I don't have any complaints about it in terms of its stability.

Aside from the issue I described where I started with an analyst's role in the solution and then was granted an admin role but the privileges remained those of an analyst, and I had to reinstall the entire platform, overall, the scalability is good.

We have contacted their tech support many times. They are readily available if I raise a P-1 ticket, because SOAR is not something we can work without. Their support is good and more capable than the SME we hired.

Neutral

Before SOAR was purchased by Splunk, it was named Phantom and that is what I have worked with most of the time. I have also worked on Demisto, which is now Palo Alto Cortex XSOAR. That was a bit more user-friendly compared to Splunk SOAR.

The initial deployment of SOAR is very complex. In my previous company, the deployment took me almost 10 days, and that was with a Splunk SME sitting with us. We paid them money to have the SME, but even he was unable to do what we needed to be done. Later on, we raised a support ticket with them and there were multiple escalations from our upper management to the Splunk management team. They then sent a good technical guy and he fixed the issue within five minutes. Before that, we were unable to do the DR instance. It took around 10 to 15 days just to fix that.

It's very difficult to install. No newbie could install SOAR on his own. He will require support. Here, I'm specifically talking about the later versions, not Phantom, rather once it became Splunk SOAR v5.3.5.

We had three people involved.

There is some maintenance. For example, it was using Python 2.7 and then there was the decommissioning of that version and the move to Python 3.x. That meant upgrading all the playbooks.

It's very overpriced because it is based on the number of users. There is no bulk licensing.

My advice would be to negotiate the cost. And if your organization is on the smaller side, with between 200 to 500 employees, you should not purchase it because it will blow up your finances. A bigger environment, with 2,000-plus employees, can go with the Splunk SOAR solution.

And if you are going with this solution, you should confirm what support they are going to provide, such as whether they are going to provide training credits or not. Sometimes they don't provide Splunk credits for training. Any newbie who is going to work on this will find it terrible to work in this environment. He will not be able to work without guidance. Other SOAR solutions, like Demisto (Cortex SOAR) are very user-friendly.

We were using Splunk primarily to ingest data from different sources and do an analysis based on its information. We use Splunk SOAR now because we had some incidents where end users were trying to send a bulk of emails from their office email address to their personal email address. SOAR will help us based on the configuration we do. 

When you use your company email address to send emails to your personal email address or elsewhere, you're trying to link the complete confidential data. It's a risk. SOAR is the first step for DLP. We can have alerts set up where we can see if somebody's trying to send more than a fixed number of emails. The next steps happen in terms of implementing DLP.

I'm the director. I have a technical team who works on it. I give instructions on how to implement it. We are in the beginning stages.

I like the interface. 

From what I heard from the team, it's pretty easy to create playbooks. With the app, you can easily view an app code. You can look at the log results and troubleshoot. The app can be enabled to suit your needs. As our SOC evolves, we can make changes or customize it according to our needs in SOAR.

SOAR offers end-to-end visibility across our full environment. It really depends on what sources we are ingesting. If you don't have data sources, ingesting into Splunk, which does not cover end-to-end, then, obviously, SOAR will not give you what you're looking for. SOAR will help the best depending on what you ingest into Splunk.

The ability to troubleshoot with SOAR is excellent. 

Its ability to integrate with other systems and applications in our environment is pretty easy. Sometimes if we see any complexity we try to involve a consultant to help us. Everything is through the built-in app. Splunk can connect to any assets through the built-in app. It could be in a platform, firewalls, or endpoints. It's easy if it's an app integration.

We will slowly see improvements in our business resilience once we have everything configured fully.

SOAR saved time in alert triage by around 30%.

SOAR is easy to use in an investigation. It also helped to reduce our security event volume by 50%.

It reduced our mean time to detect by 60-70%.

We have seen time to value. It's a work in progress.

We can set up alerts and get emails, so we can immediately respond to whatever data source or issue is causing it.

I would like to have a better user guide to explain how to use it. 

The font used in the interface could be changed and made easier to read. 

We have been using SOAR for a few months.

I would give stability and scalability a nine out of ten.

We have not used support for SOAR yet. 

The deployment is easy. It took a few hours to get up and running. Two people were involved in the deployment. 

It's expensive. The price is high but the product is good. 

It's on the cloud so it doesn't require maintenance. 

I would recommend Splunk SOAR. I would rate it a nine out of ten.

My use case for Splunk SOAR is security automation.

We are running a Splunk SOAR cluster. Three nodes in three different environments in a dev-test and prod environment.

The SOC team has been much less burdened since implementing Splunk SOAR. They're able to completely automate away some events. At the very least, they get so much information gathered from our automated actions that they're able to almost immediately take action if action isn't already taken by the playbooks that are being run.

Splunk SOAR has helped reduce our mean time to resolve. It has reduced, for example, ten-minute investigations into 30-second ones. Sometimes all our analysts need is a little bit of context, and they can immediately make a decision based on that. There are some events that we have where normally investigating them would take about ten minutes. We get a ton of those a day. I did the math and Splunk SOAR saves over 70 hours a week, which is massive. That savings is only for those types of events alone. In that context, it is a huge improvement.

Splunk SOAR has helped improve our business resilience. It's an extremely powerful tool. I do think that the ability it has depends on the people implementing it, though. The implementation needs to be good. If it's not, that's not Splunk SOAR's fault, that's the organization's fault. If they do it right, it is incredible.

Splunk SOAR has saved us time with alert triage. Even on simple events that might take ten minutes, we're taking that down by around 95 percent. Almost all events can at least have some sort of automation that saves minutes and every minute counts and saves us so much time.

Splunk SOAR has saved us time in threat response.

The most valuable features are the Splunk SOAR apps and playbooks. I am a Splunk SOAR developer, and my job is to make sure that integrations with third-party systems are done well. I give guidelines for how to properly make Splunk SOAR apps. These two features are essential in how the apps will work.

One area for improvement in Splunk SOAR is version control for Splunk apps. Currently, for Splunk playbooks, we can hook up a Splunk store to a Git repository with playbooks in it, and it will pull them down periodically, which is amazing. Splunk apps don't have that, and that would be extremely helpful because we do custom coding a lot. There are many vendors out there. And because there isn't source control, we need to emulate that same behavior, which causes us to do other things. For example, we need to create a Git repository somewhere on SOAR and create a clone job that periodically runs a Git pull action. After that, we bring all that SOAR data into that repository. We need to have a Git Hook that automatically tars the app we just created and then uses the API to automatically upload it. Because of that, now we have this app data that's being doubled up because we have SOAR apps in the Apps directory on the back end of Splunk SOAR, and we also have this Git repository, which holds all the same information. That could be highly simplified, and that is a big gap that would make my life and probably other developers' a lot easier. 

There is a specific situation that comes into place when we have a Splunk SOAR cluster we have to work with. If we also don't have it hooked up to an external Splunk Enterprise instance, trying to debug what's going on in the cluster is extremely difficult because there are 45 different log locations. That could be extremely difficult to try and find out what is going on with all the microservices that are being used in a Splunk SOAR cluster. I had to personally develop a tool to be able to monitor all those logs at once and then parse it out and query that log once we're done with whatever operation so that we can get a clear picture of what's going on in the SOAR cluster, which has been immensely helpful, taking hours off of debugging time to do that. It would be nice to have a tool like that natively available in Splunk SOAR to begin with. Even without the cluster, I believe it's over 30 log sources that could go wrong. 

Providing Splunk app developers and playbook developers Python Stub files so that way when they create custom code through their IDE, they can have IntelliCode suggestions. It could be dangerous for someone who is coding to constantly have to look back at the documentation and not see, for example, a Python dictionary where they are expecting it. In reality, it's a list, that could cause errors when a playbook runs or when an app runs, and that could be a potential incident that now goes unresolved or a serious issue. That's dangerous. Providing SOAR app developers with some Python Stub files that they can use for IntelliCode suggestions would also be helpful. Also having slight changes to the way that it's expected to create custom modifications to already existing apps on GitHub or Splunk base by essentially inheriting from the base app when we want to have custom modifications, and developers should have to explicitly override any methods from the base class that's there. That way, we're not modifying any of the underlying layers of the base app that's there. We could also hook it up to a Git Repository to receive those updates into the base app and then the custom app. This way we have these custom app features, we have all these extra things being put into it, still on the custom app end so we can have our features and the base app all in one. I think that'd be a novel solution.

I have been using Splunk SOAR for one year.

As a standalone instance, SOAR is extremely stable. I don't have any issues with it. The only reason there might be an issue is if we lack resources on the hardware itself, and that's more of a problem from an architecting, and engineering perspective, not exactly Splunk SOAR. When it comes to the Splunk SOAR cluster, it is pretty complicated. There are five different microservices, and if we have an issue there, we have 45 different log sources to get that info from, and it can be hard to debug it. If we have a problem, it can be hard to diagnose which microservice we might be having issues with.

Splunk SOAR scales well though when we get to I believe, more than five nodes in a Splunk SOAR cluster, it becomes a little bit unwieldy, and it takes long for things to happen. If we need to update something in the cluster, things can get slow and we have been told by professional services to try and keep it at three nodes because anything more than that is unwieldy as they have said. I believe that is a known issue with Splunk SOAR.

The technical support from Splunk has been good. Whenever we need to engage in professional services, they're always able to give us new information that we did not explicitly know, or they're able to validate what we need. Usually, when we talk to professional services of some kind, which is the main form of customer service I think that we use, it's usually quick and to the point in exactly what we need, which is fantastic. There have been times when we requested professional services, something we needed, and that was developed in-shop just for us, which is fantastic. The tool that was made to remove SOAR cluster nodes was requested by us, and then it became a feature later on. So that was amazing and helpful.

Positive

The initial deployment was extremely easy as a stand-alone instance. It's a straightforward process, especially for someone like me who has had to set up other servers containing security tools on them. In terms of setting up a cluster, I unfortunately haven't had experience setting up a cluster explicitly. I have had experience removing nodes from a cluster and with a new tool that was released, I believe, in version 6.0. It was made easier. When it comes to deploying Spunk SOAR, involves downloading the tarball, extracting it, running the pre-install script to ensure proper configuration, and then running the installation script. As long as system resources are sufficient, the installation itself should be quick despite the application's size.

The biggest metric that I've seen as a developer admin and DevOps engineer is the time saved. I don't think that on our end, we have set up the ROI functionality in SOAR yet, but I know that the timing has been massive. We should get it set up in  SOAR that way the customers see the value.

I would rate Splunk SOAR nine out of ten. It's a fantastic product it needs a few more features to make it amazing. The clustering does need to be simplified a bit. Version controlling for apps and making app development just a little bit easier for developers would take it to the next level. There's no other SOAR product that does what Splunk SOAR does as well. All other SOAR are frankly inferior, but it just needs that little bit of extra functionality to make it a truly great product.

We use Splunk SOAR to automate response for ransomware attacks.

We are triaging with SOAR. It helps the analysts with investigations by automating repetitive tasks and presenting them with scripts that include user lookups, and other information. It also includes widgets for notes.

Splunk SOAR has helped us save on repetitive tasks. Before we had SOAR, we used to triage in Splunk Enterprise using our app but we have migrated most of the searches into SOAR. Now with SOAR, we can get it to close the alerts we know about automatically. It is much faster so the analyst doesn't have many alerts to deal with. Now that we have migrated, we are moving more towards automation and using SOAR to work more for us. Splunk SOAR has freed up the time of three full-time analysts to focus on other tasks.

We only use Splunk SOAR on-premises, but end-to-end visibility is key to having a fast response to ransomware attacks even when we are not in the office.

Splunk has saved us time in threat response.  

We are not a 24/7 SOC, so the most valuable feature of Splunk SOAR is the auto-response to threats when we are not in the office and the notifications that it sends to the on-call engineer.

The banks have recently bought Splunk Enterprise Security. We haven't implemented it yet. It is being built. The new version coming out is going to incorporate Mission Control and SOAR. It looks like we will need to move Splunk again and do our triage in Enterprise Security. The reason we took the step to SOAR was for the functionality available for the triage which is now being incorporated into Mission Control. We can easily migrate the data over to Mission Control. For us, the next steps will be to use it as a backend server where we can run playbooks and triage in there.

It would be ideal for us if Splunk SOAR could integrate with Teams. 

I have been using Splunk SOAR for three years.

The version of Splunk SOAR we are on now is stable. We did have issues with the failover in the early days but now with how we have it configured there is hardly any downtime.

We use about one point six terabytes of data per day with Splunk with about 6,000 users. We don't need it to scale at the moment.

We use Splunk technical support a lot. They are good and we have a good relationship with our Account Manager who helps us with the tickets and provides us with articles.

Splunk technical support wasn't always readily available, and in one instance, a support representative didn't have the expertise to resolve our specific problem.

Positive

Before Splunk we had our analyst log in manually to Carbon Black. No tool automated the tasks until we switched to Splunk.

We had to get a small engineering team of about three people to be dedicated to Splunk SOAR so we could have Splunk professional service come in and give us a startup. That worked well. They passed their knowledge to our engineering team and we maintain it in-house now.

The implementation was completed with the help of the Splunk professional services team.

I found the price of Splunk SOAR to be good.

I would rate Splunk SOAR nine out of ten.

Our initial Splunk installation was a successful proof of concept but needed to be made more reliable. Splunk professional services offered assistance, but due to limitations in finding a suitable SOAR solution, we opted for a cold standby implementation. This allows us to switch to the standby instance if the primary SOAR becomes unavailable.

We have a couple of different use cases. A lot of it started out in our security space, and we have use cases related to our legal and withhold process. We manage and handle our phishing and spam activity as well as our digital or any copyright act complaints.

We have a multi-cloud implementation, but most of our use cases that are currently implemented tend to not be specific to monitoring our cloud environments.

A lot of it comes down to the time and effort savings. For what we are doing with Splunk SOAR, a human would take a lot more time. Some things are very repetitive, and with Splunk SOAR, it might take a little bit of work to get that human work translated to the programming language or functions inside a playbook, but it allows us to take all that workload off that person and be able to do more with that one person.

For some of our actions, there has been about a 300% increase in productivity. For a lot of the use cases that we have implemented inside of Splunk SOAR, there is not as much to resolve. There are mostly actions where if something happens, it should go and do something, so it is automating that human process. It takes most of the work away from the person.

We have been able to benefit from a decreased workload on our limited staff. That same staff has been able to do more things because they are not having to do the work that this tool is doing.

Splunk SOAR has had no bearing on our resiliency.

The playbooks are valuable. They are the core component. Being able to implement and build a code process to work through and scale out what we want to do is valuable.

I have put a number of ideas on the ideas.splunk.com site for feature requests for the Splunk SOAR product. I posted one of them about three years ago, which finally got implemented in the latest release that just got announced, so the time to implement new features and things like that is a little bit concerning. I tend to post my ideas there so that other people in the community can see the features or ideas. They can then upvote them and make comments on them. I thought that is what the site is for.

We have been using Splunk SOAR for about three years.

Overall, the stability of the product in terms of day-to-day operations is great. It is 100%, but because of the inter-dynamic and connected nature of SOAR, it relies on other services. When those services have changes or issues, it impacts SOAR, but SOAR, unfortunately, does not always handle them very well. It might look like there is a problem in SOAR or in the playbook or process that happened, but it might be a third party that caused it. Unfortunately, it requires someone to go into SOAR and fix something and do rework because, ultimately, that is the interconnection point where it fails.

We have not designed our SOAR to scale. I am just going to grow it as big as it can until finally, I need to split it. We are not that large, so I do not know whether it will scale well or not.

Overall, it has been great. We have not had any major bugs or incidents that have required anything more than requesting copies of the code for apps to make the additional changes that we need. Overall, the organization has been very good with that. I would rate them a nine out of ten.

Positive

We had no other automation or orchestration technology prior to Splunk SOAR.

It was complex. Several of our use cases required modifications to existing SOAR apps, meaning new features had to be coded or added to the SOAR app support we wanted to do. Additional custom bits of code had to be created. At the time, we first implemented a lot of the features that are there in the product now, but they were not there. If we had waited two years to do the initial implementation, we probably would have got a much faster time to value because a lot of the work went in early on to build out features, but then they came out with a whole new version of it. The sad part is that for upgrading to the latest version of Splunk SOAR, we had to migrate from Python 2 to Python 3, so the process by which those playbooks and other things get migrated is difficult and requires a lot of work and rework.

We did have a Splunk professional involved in our initial setup. I believe it was a direct Splunk employee. I do not believe it was a third-party person. They were good. 

We have a lot of Splunk knowledge. We have complex use cases. We have a high level of knowledge. We did not want someone who just came out of the training class. They had to send us someone who was going to be valuable to us, and they did.

It is hard to quantify whether we have seen a return on investment. The expectation is that we do, but we are so short on staffing that it is difficult to calculate whether it is giving us a full FTE worth of a person. We think we are getting it, but we do not have good numbers to say that we are.

It is also hard to say whether we have seen time to value because there are some use cases that take so long to implement. Because of the way that SOAR is structured and interconnected with so many systems, to get something going and then make sure it continues to work, the time to value starts to become a little bit back and forth. Some of the use cases are great. The services underneath them have not changed. There has not been a lot of transition, but with the other ones, such as an API update, an update is required on the SOAR side, so it is a little harder.

When we first purchased our Splunk SOAR license, it was based on an event-count model. It was based on the number of events. I had strong opinions at the time that automation should not be stifled by the amount of automation you can accomplish, so the previous structure was not as beneficial for us. Later that year, we got told or saw at a conference that they announced user-based pricing.

We are now in a renewal period, so we migrated to a user-based license model, which is more appropriate for us so that we no longer have to worry about stifling our automation based on the quantity. If I have an event that happens 500 times a day, but it is relatively minor, I can still spend the effort to automate it. The previous model meant that we could only automate high-value items in Splunk SOAR, meaning they had a large cost of the human factor to automate them, whereas now, I can transition. I can do many different things with Splunk SOAR that we were intentionally limited on.

We had evaluated other options twice. We evaluated before the acquisition by Palo Alto and then during our latest renewal period, we went ahead and reevaluated Palo Alto's competing products just to make sure that we are doing our due diligence about technology and whether this was going to be better or worse for us.

Overall, I would rate Splunk SOAR a six out of ten.

We use it for risk management. And, we're trying to automate our L1 and L2 agents' functionalities. Through automation, we're trying to reduce the effort that is put in by an agent.

The amount of time that our L1 and L2 agents used to take to do a simple task was about 40 hours per week. Using SOAR and automation we have reduced that to 10 to 15 hours per week. That is a big win. Building up the playbooks helps with the daily investigations for our agents and risk management team.

It has also helped to reduce our mean time to detection. Something that used to take, on average, 30 minutes now takes about five minutes. It really depends on the kind of event it is. And it has definitely helped free up our IT staff for other projects.

Splunk SOAR has also reduced our dependency on UBA, although we still use it. And similarly, while we still use Splunk Enterprise Security (ES) for threat detection, SOAR has reduced our dependency on that by using it for investigation. Of course, ES has to be there as it is receiving feeds, but the SOAR/ES collaboration is just a better way to function.

It's pretty easy when it comes to setting up assets. If you want to fetch emails or call a REST API, you can set up an asset and grab that information. Of course, we need to do some improvisation as far as coding is concerned, but you can just set up an asset such as O365. Or, if you are looking for any of the threat feeds, you can just set up an asset and they're readily available. You can then grab that particular information or those logs and bring them into SOAR.

Another good aspect is SOAR's ability to integrate with other systems and applications. We haven't faced any challenges with that. It's pretty simple and easy.

And although I'm more of a developer as opposed to an end-user, the reviews that we get from our end-users are that they picked it up pretty quickly. Based on that feedback I would say using SOAR for an investigation is pretty easy and convenient.

Creating playbooks using the solution’s playbook editor, for me, is very cumbersome. There have been instances where I have said to myself that I just don't want to use this editor. I might just use a code block and write my own code within it. I've tried using the editor for some of our playbooks, but I find it's cumbersome. It's easy to drag things in the GUI, but for the actual coding part and joining those bits in a full code, it's not as good as I would like. They have tried to make it as simple as possible, but its functionality is not up to the mark.

The functionality in the playbook editor is 80 percent there, but that 20 percent is still lacking. They could make it more efficient.

I've been using Splunk SOAR for almost two years.

Initially, there was some lagging, but there are no issues at all now.

I'm pretty impressed with Splunk's customer support. They're pretty responsive and I appreciate that.

Positive

We were using Phantom, which is a Splunk product, but they asked every customer to migrate from Phantom to SOAR. In my opinion, it's still the same thing, but in a more improvised way.

It is a cloud solution for us. The deployment was in between straightforward and complex.

Training our SOC team to use the playbooks happened pretty quickly. After a couple of weeks, we were up and running.

We have somewhere between 30 and 50 users of SOAR, and there is no maintenance on our side.

Splunk employees helped us out.

It took us four to five months to see value from SOAR, it didn't happen right away. But that was because we were still building up the environment, including the playbooks. 

Initially, we were trying to use it as a case management system, but after a lot of development, it wasn't up to the mark for the end requirements that we had from the business for that. SOAR is more of an orchestration and automation tool. Using it for case management was not appropriate on our end.

My advice is that if you are already using other products from Splunk, like Splunk ES or Splunk Core, first try to refine your logs to make them SaaS-compliant. I don't think SOAR accepts a SIEM model, it's more of a SaaS. Start looking at the logs and making them compliant if you want to bring some of your logs into SOAR. Also, spell out the integrations you require, the type of functionality you want to use it for.

As part of the cybersecurity incident response team, we were responsible for handling phishing emails related to business-as-usual operations. It was a manual process that would include five to six checks to determine the category of the email, its legitimacy, if it was malicious, and if it was an impersonation or a phishing email. We also worked on a use case for our infrastructure's proxy solutions. End users would request that certain websites be unblocked, as they had been blocked by the proxy's default policy or categorically blocked by the proxy. For this, we evaluated publicly available information about the website and the justification provided by the users, to determine whether the website should be whitelisted or made accessible.

Then, we implemented the automation process to simplify such tedious processes. In addition, we had a manual process in place for our threat hunting and threat intelligence platform, where we monitored leaked data on the dark web. This was documented as a use case. Our account management team also conducted weekly checks on the status of accounts. The process also made the team check if they were logged in on their accounts and if the account was disabled, which were manual processes that were later integrated into Splunk SOAR.

As a security analyst in the SOC center, I have seen the impact of implementing Splunk SOAR on our phishing email analysis process. Before its use, analyzing each email would take at least 15 to 20 minutes, with some complex cases taking up to 30 minutes. Of all the emails received, 30% were complex, 50% were average, and 20% were straightforward and would only take five to ten minutes to analyze. With the automation provided by Splunk SOAR, we can significantly reduce the amount of time and human effort required to complete this task. Instead of two analysts taking two to three hours to analyze 20 to 30 emails, one analyst can now complete the same task within one to two hours.

The most advantageous feature of Splunk SOAR is its ease of writing search queries, which can be attributed to Splunk's powerful analytics tool running in the background, offering a smooth user experience.

Improvements are needed in automation options as customization is limited, which may make complex use cases challenging despite the solution being able to meet basic requirements.

Currently, the tool only allows categorization into two categories, malicious and non-malicious, which has been identified as a limitation by security analysts in various group brainstorming sessions. The ability to create custom categories for emails can benefit security analysts.

I was associated with this solution for almost three years. In my previous organization, Meredith, we initially deployed Splunk. Before that, we were using the ArcSight SIEM solution. Later on, after moving on to the Splunk environment, Meredith thought of opting for an automation process. So, we onboarded Splunk SOAR, but the user Splunk was managed by a third-party company.

Stability-wise, it is good. It doesn't have any downtime issues. If you consider Splunk SOAR as an independent solution to be deployed at work, then that would not be easy. The challenge is that Splunk SOAR cannot work without the Splunk SIEM solution. But if you have Splunk as your base, then Splunk Phantom works well. So the issues with Splunk Phantom are very minimal. I would rate it an eight on a scale of one to 10, where one is considered the worst and 10 is the best.

In terms of scalability, I believe Splunk SOAR is decent. I haven't encountered any stability issues, even with a large infrastructure of over 10,000 end-user devices and high log inflows. I would rate its scalability as an eight or nine out of ten, where one is the worst and ten is the best. It works well in both large and small work environments.

The technical support for the Splunk SIEM solution was average. Splunk is still working on improving its customer support, as they do not directly support SOAR, which is a separate entity. Other vendors, on the other hand, support various environments. I believe that Splunk can improve its customer support services.

Neutral

I previously used Demisto, a security automation tool, in one of my previous organizations, Dell Technologies. The ease of writing custom queries and making granular modifications were the key reasons why we used it. In my next organization, I used Splunk SOAR because we already had Splunk in our environment. Currently, I am working in a bank that does not have a Splunk environment, so I am using a different automation tool.

The deployment warranted collecting information on the external and internal parameters of our network system. A network engineer along with a team of four to five people from Hurricane Labs was involved in the deployment of the Splunk SIEM solution for the company. The deployment of the Splunk SIEM solution took approximately six to nine months. During the first three months, the team familiarized themselves with the environment and started the transition from an off-site setup. Over the next six to nine months, the team worked to mature the solution and address any issues with logs not being collected properly and displayed on the Splunk screen.

Splunk SIEM was deployed by a third-party vendor. The vendor was responsible for the end-to-end deployment and was the main point of contact for the project. However, I am not familiar with the specific details of the deployment and therefore cannot accurately explain how the deployment of the solution was done.

In terms of pricing, I would rate it a six or seven out of 10, where one is the highest and 10 is the lowest. It’s on the expensive side, and I'm not sure if a lot of the small-sized organizations will be able to afford it. A medium enterprise environment will be able to afford it. We had to pay for the cost of the licenses for the services we received.

If you use Splunk as your SIEM solution, you can consider Splunk SOAR as your automation tool. However, automation tools such as AutomationEdge or Demisto may provide better value if you have other SIEM solutions.

I rate this solution a seven out of ten.