Splunk SOAR Reviews

We are a consulting firm and this is a solution that we use for ourselves, as well as implement it for our customers.

Our use case is to establish a platform for threat analysis across different data sources that we have in the company. Essentially, it is an orchestration platform and we want to make sure that we can tie into different endpoints or data sources from which traffic originates. We need to then detect and analyze threats.

The most valuable feature is the risk-based access control.

The team collaboration when it comes to detecting a threat is helpful.

I like the fact that we can leverage the API to be able to establish a connection and share information across different repositories.

The flexibility that it has when using different protocols, like TLP, for communicating, is fairly good.

This solution supports the automated handling of phishing attempts through the collection of potentially malicious emails from end-users. It analyzes them, identifies threats, and assesses risk.

Phantom was only recently acquired by Splunk so it is not fully integrated yet. Our area of concern is that Splunk Phantom works with the other Splunk products. At this point, there are certain things that are not fully operational across the rest of the product line.

The extension of the product to allow for better integration with other data sources is something that needs attention. We want to see improvements made to the APIs such that we can connect to many different systems and data sources.

The search capability could be improved by way of better indexing and also integration with third-party solutions such as Elasticsearch.

I would like to see escalation management and integration with communication tools like Slack.

I would like to have more capability around analytics.

There needs to be a better facility for documenting and storing issues, as well as being able to find those issues. Splunk does a good job of that, so I think that it will be done.

The solution overall is stable, but it could be more so. It is an application server and there is a vulnerability when a traffic overload occurs, or if there is an incompatibility with a backend or another data source. There is a risk that something can freeze up.   

High Availability / Disaster Recovery (HA/DR) is key and Splunk Phantom’s product offerings must ensure sharding and clustering to enable scalability and automated failover

Because this is an orchestration platform, it's supposed to offload the users from being directly involved in looking at and analyzing security issues. It is something that you just let run. From an administration standpoint, we have a team of ten people that work around this platform.

Prior to Splunk acquiring Phantom, the support for this solution was subpar. Now, however, the support model has changed and it is pretty reasonable.

The initial setup takes some time because you have to configure it and then connect it to different data sources and make sure that they operate properly. It requires an engineer who's fairly knowledgeable in security, interaction, setup, and administration.

In terms of the deployment time, I think that it is something that you can get up and running in perhaps two or three months. I don't think that you could get this up and running fully in a week, for example.

It is a subscription-based licensing model that varies depending on how much data is processed by Spunk. There are built-in volume discounts.

There are some additional costs if you want to get some front-end support or installation or setup, which is part of professional services. There are also some modules, such as analytics, that Splunk will provide for an additional fee.

My advice to anybody who is considering this solution is to first really understand the requirements that you have, well enough. You need to identify and understand the data sources that you need, prior to purchase, to ensure that there is a need and also that there are no issues with incompatibility or connectivity. You also need to have the right resources to assess, implement, or oversee the implementation. You're going into an environment that requires a little bit of understanding of artificial intelligence because the SOAR platform requires setting up some rules. You also need to have a technical support group in-house to be able to help, otherwise, you would be dependent on Splunk for assistance.

Overall, this product is fairly good but it's not quite mature yet. It needs some enhancement and some stabilization in some areas.

I would rate this solution an eight out of ten.

Splunk SOAR can be deployed on-premise and in the cloud.

The most valuable features of Splunk SOAR are the easy integration with other solutions, including other Splunk solutions. The most important playbooks we need on the market come already on the Frontend. However, nowadays, Splunk changed its name, it's not Frontend anymore, it's Splunk Store. This is a very strong point.

I have been using Splunk SOAR for approximately two years.

We have approximately six users from one client and four from another client using Splunk SOAR.

The technical support from Splunk SOAR is good. However, you can always resolve the problem with the community. Splunk has a very good community, and most of the time, we find a solution much better, it is easier and quicker in the community, instead of waiting to open a ticket for Splunk. When you open a ticket, you go into a queue, then the feedback is a little bit slower.

The initial implementation of Splunk SOAR is in the middle range of difficulty. It is not very easy because you need to understand a little bit of the solution to deploy it, but as soon as you learn it, it becomes very easy because most of the integrations are ready. It's very easy to change playbooks, or create a new playbook because you do not need to know how to code. It doesn't matter how the language of the coding it's running in the back end to learn your playbook. It is up to you to create a playbook using the UI interface. If you want, you can code your own if you enjoy coding. You can have the opportunity to change or create some playbooks with Python codes, but you don't need to do that, it is optional. Anyone can develop their own playbooks.

The deployment of Splunk SOAR on premises took approximately 15 days, and deployments in the cloud took approximately two days. You learn how to integrate the solution by doing it. It took about two days because it was my first time, but the next time, when I do it, it will take approximately half a day.

Splunk SOAR has room to improve its offering for small-sized customers. The price is not fair for smaller-sized customers.

The price of Splunk SOAR is based on the number of people using it. Once you increase the users, the prices go goes up. The customer receives a license for the user that is going to operate it in their environment.

I rate Splunk SOAR a ten out of ten.

We're not really creating the use cases. Our internal team is developing the use cases. Right now, we have automated the whole phishing process. After that we are still planning to automate a few more things like malware investigation and then from there other processes.

We're in the POC phase. We need more time to get used to the solution and to understand it better to discover the most useful features.

So far, the interface is very easy to use.

The GUI is great.

The features in the Phantom playbook are all very good.

You can build different playbook and you can play with the playbook. One playbook can give you insights into URL applications, one playbook you can give the reputation about the file access. You can build different playbooks and after integrating all the playbooks you can come up with some organizational directions and decisions. It will give you very good insights into various incidents.

The solution is great for automating redundant work.

It's difficult sometime to manage the amount of reported suspicious emails. Using an intervention like this solution helps make that task easier.

We haven't had too much experience on the solution.

The solution is relatively new in the market.

It would be ideal if we could automate processes even more.

The interface is great, however, they could still keep refining it to make it even more user friendly.

We have used the solution over the past year.

At a previous organization, I did work with another tool in Beta. It was able to provide UVA capacity. I'm not sure if they used a different tool at this current organization.

The Phantom has better GUI, however, I'm not able to clearly see the risk fabric.

I wasn't part of the deployment team. I have no idea if the initial implementation is straightforward or complex.

Technically, we are still in the deployment phase. We haven't finished yet. We are yet to go live. IN the next few weeks we'll go live, however, only on the phishing features.

I'm not aware of the company looking into other options before choosing this solution. All of this was handled by the procurement team, and I am not a party to their decision-making process.

I'm not sure which version of the solution we're currently using.

If a company wants to automate redundant work, this solution is perfect for that. Very specific processes can be easily automated to save time. That way, analysts can invest their time elsewhere. Phantom is one of the great tools for reducing redundancies. 

I'd rate the solution eight out of ten.

Our primary use case of the solution is for fine tuning. We provide professional services for our customers to enhance their ability to use the functionalities of Splunk. We're integrators of the solution. 

The most valuable feature of Splunk is a very flexible integration with other tools. Compared to other products in the market, Splunk is very user friendly, and not very complicated. It integrates with most of the endpoints and that's a very positive side of the solution. There's no need to remember a lot of things and documentation is great. I really appreciate that aspect. Since it is cloud-based there is a lot of flexibility. And most of the challenges that I have faced with the solution can be found in the documentation itself.

At this point, I'm very happy with the solution. There's nothing there that disturbs me. Security orchestration is a new emerging issue in the market. If I have to compare with other security orchestration tools, Splunk is a good solution. Many vendors have opted for Splunk because of easy usability and connectivity to radius devices.

I've been using this solution for about six months. 

Stability is good

Scalability is good, allows flexibility. That's what makes life easy. 

There's great documentation and most of the challenges I've faced, I've found the solution via the documentation. I've never contacted the technical support which attests to the quality of the documentation. 

I know RSA and Splunk are similar solutions even though I've never used RSA. I know that Splunk is user friendly and doesn't require in-depth knowledge. Everything is file based, applications like RSA rely on databases. I have the confidence of being able to use Splunk efficiently and there are a lot of features I can handle myself the way I want to. 

Initial setup is very straightforward and simple. Much easier than other tools, it takes a couple of days depending on the architecture. 

The solution is for our clients so we don't deal with the licensing aspect. 

It's important to know your customer's requirements so you can choose the correct solution. The budget also needs to be taken into account. Most customer's budgets suit a Splunk solution whereas RSA is much more expensive. 

I would rate Splunk Phantom a seven out of 10. 

I'm just a beginner on the solution and it's pretty easy for me to use. 

Our team likes it. They've been using it for a while and they really seem to like it. They know more about it than I do at this point, as I'm still new.

It's a default for a lot of things on our system.

We've had trouble implementing the solution with Microsoft products. There seems to be an integration gap. 

The pricing of the product could be more reasonable.

While I am a beginner on the Splunk platform, our team has a good amount of experience with it overall. I've personally only been working with it for two or three months or so. It hasn't been that long.

I've never actually opened a ticket with Splunk technical support in the past. I can't speak to how helpful or responsive they are. I don't have any experience with them to discuss how helpful or responsive they are.

The licenses are quite expensive at this time. They need to work on the pricing in order to make the costs much more reasonable.

We are a customer and an end-user. We don't have a business relationship with Splunk.

I can't speak to which version of the solution we're using.

I'd rate the solution at seven out of ten overall. 

My primary use case was for the MITRE ATT&CK parameters. I have some experience with MITRE ATT&CK for SIEM and SOAR solutions.

I like the integration capabilities of Phantom. It has a lot of integrations with other products.

Its searching methodologies are also good. It is also easy to understand and easy to create playbooks.

I haven't used it fully, but based on my usage, I could not find simulation tools and features. It currently lacks simulation features, which are important for me for creating a playbook.

It is also very expensive for my region.

I have been using this solution for one year.

I didn't focus on that feature, so I cannot say anything about that.

I don't have any experience with their technical support. My customer was using it in their company, and I had some experience with this solution over there while managing their security solutions, but I didn't get in touch with Splunk specialists.

Its initial setup is straightforward. It is similar to most of the solutions. I didn't have any complexity.

I don't know the exact price, but for my region, it is very expensive.

I would recommend this solution, but it also depends on the price. Splunk is number one for SIEM or SOAR. Another solution that I would recommend is Palo Alto XSOAR. 

I would rate Splunk Phantom a nine out of ten.