Splunk SOAR Reviews

We are primarily using it to automate tasks for our incident response team. They use it to block suspicious traffic from our network detection system and for alerts from our endpoint security system. Those are the two major use cases we're using it for right now.

It has definitely saved a decent amount of time for our analysts so they can focus on other tasks. This gives us more value for man hours.

It has definitely improved our business resilience. It's given us greater visibility into the environment we have and the ability to collect all of the threat and log data and put it into one central place.

The ability to connect it to external apps is the most valuable feature. We've also gotten a lot of use from writing custom apps for some of our authentication systems for password scramble.

Splunk's ability to predict, identify, and problem-solve in real time is really good.

Splunk's ability to provide business resilience by empowering staff is fairly high. It detects issues as they come up and responds to them.

We have seen time to value. I did help configure it, but we do have the cloud solution, so it was mostly in place.

It has definitely helped to reduce our meantime to resolve. Having it there to automatically take action as events come in and not needing the analysts to have to go out and have a look is how it saved time.

We've run into a few minor issues. Some of the playbook writing is a bit complicated. We've had a few hiccups with the source control. We'd really like to use GitHub deployment keys for a dedicated account. We haven't been able to do that. I think those are some of the major ones. 

There is a general learning curve as far as playbook writing goes. 

I have been using SOAR for four to five months.

Stability is good. We've had a few hiccups with apps, but never a major outage. I would rate it an eight out of ten.  

I haven't really grown it very wide yet, but I could easily foresee us doing that.

I've opened a few tickets for different issues with apps, and they have always been responded to fairly quickly. I'd give support a ten out of ten. 

Positive

I did help configure it but we have a cloud solution, so it was mostly in place.

The development was fairly straightforward. There were some issues setting up the single sign-on, but we were able to get help from Splunk to get all that straightened out. The roles in user accounts and onboarding were all fairly straightforward. App configuration is also something that's pretty streamlined and intuitive.

We did it all in-house.

We have seen ROI in its ability to streamline and automate mundane tasks that we would run into on a daily basis. It freed up DevOps people from having to maintain custom tools that were previously used to complete similar tasks.

I would rate Splunk SOAR a nine out of ten. 

My primary use case is for SOC automation but it's used for a lot more than that. Some of the use cases are more or less appropriate for it. It's capable of doing a lot of things.

We use the SOAR platform to ingest alerts and escalations that we get. They do the actual enrichment processing and triaging but we don't use it for detection. We potentially could, but it's not what the product is meant for.

The visual playbook editor updates that they released have been absolutely instrumental because the old editor was impossible to look at for most of the time. It made my eyes bleed. I still have to look at it from time to time. 

Splunk does provide substantial value. 

It definitely does reduce our mean time to resolution through the enrichment details that it provides. Inputting your facts and details of the things you do not want to see with the events coming into it and easily filtering down off of that is one of the main value drivers outside of phish removal.

The most valuable feature is the API connector, depending on how it's formatted and who made the actual app offering for it. The REST API is my favorite component. It's very easy to use. The filters are also really valuable. Those are the two primary features but I enjoy using the rest of it. 

SOAR is probably the most unreliable product Splunk has and that's because most of it is content driven from what you put into it. There are certain parts of it that have a little bit of difficulty at volume too. It's always changing. There is new stuff coming out for it that's going to make it a little bit better, but it does have some drawbacks.

It's specifically geared for SOC and not broader automation. The artifact filtering that's forced on everything inside the platform is pretty awful. It's for a subset of active playbooks which, out of the two hundred that we own, I think three or four of them are active, but we have to play with that setting for each one of them. 

Every block should also have that option specifically because if you're not doing the artifact filtering on the front end, it's not good. 

We've had lots of processes that have been victim to filtering not working appropriately at scale. It's hard to actually track down and trace because we can't reproduce the issues that we see in our testing environment or in production. That was two minor versions ago. It might have changed, it might not have, but we don't have a lot of trust in that feature.

UI elements like interacting with our analysts are near impossible. Finding stuff on the actual dashboard is really impossible most of the time. One example is that the timeline takes up three-quarters of the screen, but not a single person uses it because you have to individually set the container, the artifacts, and the actions to a specific attribute field that's really difficult to correlate to the actual events you put into it. The artifacts are really weird too because they're not traditional forensic artifacts. You shouldn't be able to change the value of an actual artifact. It was in that capacity but we also use it for that purpose in the platform. 

My company was one of Splunk's first five customers. I have been using it for the last three years.

I've only crashed SOAR a few times and it was my fault. If you have a production environment that's been running for a month or two and you have a few thousand events in it, if you mess up your query when you're trying to ask it a question and you do page size zero, it will just give you things on it, and it will crash it. That's a fun thing, but you shouldn't do that in general. That was a mistake on my part. Generally, it is very stable and available as most of the issues are usually the fault of the vendors that it's talking to, but that's with any platform.

Scalability is interesting. Some of the assets do choke each other out. There is a cyclical lock thing that we had to fix on our inside. We have a CrowdStrike app, and we give it a file and ask it to do something and it goes great. It tells us that the default wait time is fifteen minutes, and there's only one of me. But there are five processes competing for that, and you get a giant backlog. We had to make our own custom app to get it later. 

We have about fifty users on SOAR and a few hundred playbooks. Our environment is fairly large in terms of standard customers.

I didn't do the initial integration, it was many years ago but we do deployments with the platforms team because we have the experience. 

We have it down to a pretty good science right now because platform science does a really good job of automating the steps that go into setting up the server and whatnot. One good thing about the SOAR connectors that we have in the apps is the ability to save states and for apps just to self-heal. That has been really helpful because things go down from time to time and we don't have to worry about it because there's a second or third process that's going to pick it up.

I have heard they are changing pricing, not possibly for the better. In comparison to the other vendors we looked at, they're all in the same ballpark of what they should be billing on. SOAR makes the most sense out of all of them, in terms of the billing factors.

We are looking at other platforms currently to compare areas. Splunk's editors are exceptionally better to look at. Visually, it's easier to find things and configure them. 

There is more capability out-of-the-box for doing typical data transformation that you don't have to write too much code for, which is really nice. The code blocks have annotations in them. So when you actually open and look at what you worked on, four or five months later, you have your notes right there in the same place where it runs, which is really handy. 

It's also just built for broader automation and it's all more HTTP, actions-based. Instead of having to build a connector, then put that on GitHub and install that in your platform, you can define an endpoint with credentials and you can do the same thing with SOAR. It's encouraged to do it with the actions and assets, which can be beneficial depending on what the product is. 

If we do continue using SOAR, I think we're going to default to using more HTTP actions and stop using too many assets because it's a bit of a burden to create one, especially if out-of-the-box the actual configuration doesn't do what we need it to. 

One example of this that we have is the request tracker app that we use for all of our tickets. When you ask it for the ticket information, it will return the metadata on it, nothing inside the actual ticket. That's a fork we have to create. It didn't actually do the basic product functionality that the vendor should be providing. 

We also find that the vendors don't always keep the SOAR connectors updated. Sometimes they'll update the associated API, and then their connector will stop working because they're on different versions, and then we have to force our own fix on that. They usually make a SOAR connector just to say that they have one, but they won't put too much effort or thought into it.

I'd probably rate the functionality an eight or a nine out of ten. I would give the UI a four out of ten. I would rate general Splunk SOAR a seven out of ten. 

The solution provides information on user accounts. The solution has playbooks that check the user with server ID. It checks the domain name and IP address of the web page.

The solution has helped my company in many ways. It gives us information on the IP or server that is related to physical services. The tool also gives us alerts.

The solution’s dashboard is really good and customizable. It also has a good UI.

The application does not work properly and does not pass the log-based configuration. I feel that some kind of review should happen in the application. This review should validate things so that we can get the right information.

Splunk does not tell us where the IP address is associated with.

I have been using Splunk SOAR for more than one year.

I would rate the solution’s stability an eight out of ten.

I would rate the solution’s scalability a ten on ten. There are more than twenty users of the solution in our company. We plan to increase the usage.

I would rate the solution’s support around seven to eight.

Positive

The solution’s setup is easy.

The solution gives us better ROI.

The solution’s pricing is costing at some points.

I would rate the overall solution a nine out of ten. The tool automates many of your threat-related activity and gives you alerts based on our criteria. This solution is definitely useful. The product gives us the power to handle anything.

We use the solution to search the logs, check the threat indicators, threat tasks, etc. It helps us check any alerts that we get in the alert report. Based on that, we react to that particular alert.

The tool's most valuable feature is its searchability and ease of action on the logs. I can easily search within the logs and take action on them, and I can trace them back to my environment because the way the logs are written is very helpful for us.

Overall, if any incident or anything happens in terms of security, then Splunk SOAR is the tool we look at first.We have a nice dashboarding and alerting system when we see an alert. It gives us direct access to the specific alert, detailing what happened when it occurred and where it originated. It helps us to identify the affected site faster. 

Splunk SOAR helps us to save a lot of time. We have integrated it with some SIEM tools. 

The tool's response is slower because it has to search through a huge dataset, which can be improved for latency.

I have been using the product for three years. 

The only issue I've noticed is the latency when accessing data for longer periods. Sometimes, fetching data from the API can take a lot of time. However, apart from that, everything else seems stable.

The tool is scalable. We have scaled it to about thousands of assets. 

I haven't had much direct interaction with customer service and technical support. Our central Splunk team manages those aspects for us. I have heard that the response time is good. 

The tool's deployment is done in-house. 

I rate the overall solution an eight to nine out of ten. It's helpful from both an operations and product security perspective. 

This is a DevOps product.

We use the solution to monitor the activity of users and integrate Splunk UEBA, monitoring traffic, packages, external attacks, left movement, and lateral movements. We also use it maybe inside the person's C2 servers, and for exercise and SQL injections. Basically, we use the solution for any type of attack that can happen regarding the meter attack grid.

The solution is very versatile.

It's a multi-functioning solution.

My understanding is the initial setup isn't too hard. 

The version control is excellent. 

Technical support is extremely helpful and responsive. 

The pricing could be a bit more reasonable. It would be great if it were feasible for smaller organizations. 

I've been using the solution for two years now as a part of the bigger Splunk Enterprise deployment.

The stability is great. It offers easy version control. There are no bugs and glitches. It doesn't crash or freeze. The team is doing great managing releases. 

The scalability is very high. It is easy to expand as needed. 

I use it in a very large organization with well over one million users worldwide. 

We have a premium and dedicated team for tech support as well as a dedicated account manager. Everything is dedicated to the deployment. I can't say I'm not satisfied. Their response is usually very fast - within 30 minutes - and we have good experience with them.

Positive

While I use other products as well, 90% of my day is on Splunk.

While I didn't handle the implementation directly, I understand it's pretty easy.

While the pricing is high, I don't care as long as the enterprise pays for it. For developers, it is free for 6 months and 500 GBs of ingestion per day.

From an enterprise standpoint, I'd rate the pricing ten out of ten as they are doing a great job and we are getting value for what we pay.

I'm an end-user.

I'd advise new users to spend some time at the outset learning the commands. It will make it very easy to deal with.

I'd rate the solution ten out of ten.

We primarily use the solution for supporting or automating the email spam items and some ISMS monitoring items, et cetera. 

I'm not implementing the solution. I'm selling the concept. Therefore, my technical knowledge is limited. 

The solution is stable. 

It is very scalable. 

Technical support is helpful. 

There are only problems if the customer is not ready with emergency plans or standard procedures if something breaks. There is some homework to be done before you can really properly use Splunk SOAR.

Resolution times could be faster in terms of support.

It could be easier to implement. 

We've used the solution for two to three years. 

The stability of the product is pretty good. It's really stable and the customers are satisfied with the solution, however, they must be always aware that it's a living project. It's always run against hackers.

It's pretty scalable. It's outstanding in administration, so you don't have to put too many HR resources on it. That's one of the advantages. The implementation must be proper and thoroughly thought through. However, afterwards it's really working very well and with less administration compared to QRadar or something like that.

We have customers that have users that range from 100 to 10,000 people. 

The support is quite good. Sometimes, of course, you want to have a shorter resolution time, however, it also depends on the service that you buy.

The initial setup requires some work. It may not be easy for everyone to implement. 

The deployment times differ. You can't say, for example, every time you need 100 days or 10 days or something like that. It's specific due to the use case and what you want to implement or automate.

We have around five and up to ten people in the core security team that deal with the product in terms of deployment and maintenance. 

We are able to implement the solution for our clients. 

Usually, you have a yearly license. However, Splunk must be more flexible and they have to be more sensitive about this topic. My understanding is that they're working on a new pricing model.

We install the solution for our customers and use the solution as well. We're an implementor. 

I'd advise new users to start at a small scale, since you have to learn about it. You can't implement it with a big bang. You must really go through it and do your homework. You have to have your backup plans, you have to have a real transparent view of your IT landscape. If you have this and your logs are quite good and the playbooks are implemented properly, then you can really scale up. You just have to do it step by step, as it's a bit of a learning curve that you have to go through.

I'd rate the solution eight out of ten. 

Splunk SOAR can be deployed on the cloud, on-premise, and hybrid. If you want to put it to your cellphone or public cloud to use cloud services, such as Amazon AWS or Google Cloud Platform it is possible.

The main usage is for security monitoring, insider threat protection, user and entity behavioral analytics (UEBA), Security orchestration, automation, privileged user and account protection, and security against attacks, such as phishing and advanced malware attacks.

The most valuable feature of Splunk SOAR that stands out is it has a great SOAR. The automation and orchestration module is highly mature. A lot of use cases are on user entity and behavioral analytics (UEBA), which is artificial intelligence and machine learning-based (AIML).

Splunk SOAR can improve IoT/OT security-related case studies or your use cases. Their integration with identity and access management (IAM) solutions is a bit shaky. They don't have good integration with a lot of IAM solutions. They do have good capability in terms of user access management internally, but even with privileged user access, they have a good module. However, if they have to integrate with solutions, such as CyberArk or IBM IAM solutions they are lacking, the visibility of user access is not that much.

I have been using Splunk SOAR for approximately 10 years.

The stability of Splunk SOAR is good.

Splunk SOAR is highly scalable.

I rate the support from Splunk SOAR a three out of five.

The support knowledge of use cases from the telecom industry, and IoT industry are good. They're good at accommodating normal IT use cases, but when it comes to operating our OT devices, or telecom-related use cases, they're not really flexible or good at it. In terms of developing use cases for them, they are not that good. For example, if they are approached by some vendor and they say, "Devise up some use cases for Nokia and Huawei", these are our basic telecom providers, it's really difficult for Splunk SOAR to make use cases for them. They're good at IT, but they're not good at OT and IoT.

Splunk SOAR is easy to deploy. It has a lot of already built-in use cases, and it is very easy to customize. For the deployment of Splunk SOAR, it takes approximately two engineers. For a medium complexity, 3000 DPS-sized deployments, it will take a half month. If there are a lot of custom use cases, you can add another month for those customizations to be completed.

We need approximately four to five engineers for maintenance for a dedicated sizing. If you are going for a shared model, then two to three engineers would be sufficient. Both have 24 hours a day seven days a week operating windows.

I won't say ROI's not there for Splunk SOAR. It's a value-for-money solution, but if they charge less, then it will bring more value. Currently, the ROI is flat, you will hardly have an ROI.

Splunk SOAR follows very flat pricing and most of the time it's very high when compared to the other competitors. They can improve their pricing. The licensing model is a subscription and is consumption-based.

I rate Splunk SOAR an eight out of ten.

Security Operations and Incident response processes automation and alerts enrichment.

I have found all the security automation platform features of Splunk SOAR to be good. The Automation playbook development is highly useful.

The Splunk SOAR case management feature lacks some of the functionalities like the possibility to fully customize the fields for the tickets/events and create custom statuses. 

I have used Splunk SOAR within the last 12 months.

Splunk SOAR is a stable solution.

The scalability of Splunk SOAR is good.

We have approximately 100 people using this solution in my organization.

The technical support is good.

Positive

The initial setup of Splunk SOAR is complex. It has multiple integrations, deployable on many different development infrastructure stages of production. It has a full life cycle.

We have approximately two people for the maintenance and support of Splunk SOAR.

The price of Splunk SOAR is reasonable.

My advice to others is they will need some Python developers for Splunk SOAR because it's not possible to only throw some blocks of Python code and it will work. You will need some experienced Python developers if you want to work with this platform.

I rate Splunk SOAR a nine out of ten.