A combined SIEM and SOAR, used to accelerate threat detection and response with holistic security analytics, native SOAR, and intelligent automation.
N/A
Splunk SOAR
Score 8.4 out of 10
N/A
Splunk now offers a security orchestration, automation, and response (SOAR) platform via its acquisition of Phantom. Splunk Security Orchestration and Automation (Splunk SOAR) provides playbook automation and is available as a standalone solution.
In the current lot of hundreds of SIEM solutions out there in the market, ArcSight ESM is fairly less expensive with strong fundamentals in place. The log ingestion, correlation are very well performing and totally worth ROI. However, the tool has lost its way when it comes to staying abreast with current feature curve of SIEM technology and the evolution has not been done by MicroFocus. Search times are high and there is no major plug-in that has been introduced as part of the product life cycle.
Our company has very complex and dynamic security operations because of the large number of security tools and systems that we need to manage and coordinate. Moreover, it helps us to meet many regulatory and compliance requirements because it helps us to automate and document our security operations. We also use it to streamline our security operations and improve our response to potential threats.
Integration with smart logger and ESM to create rules and easy management of the same.
Easy integration with all end point security management tool(IPS/IDS, Firewall, Anti-Virus) and their consolidated output at a single place to effectively rectifying true and false positives.
A lack of instruction It can be difficult to contact the support staff. Limited experience from current users.
It takes some effort to set up and learn new technology at first. More assistance is required from the support staff. The product's price needs to go down.
As we already have a lot of clients being catered with Splunk SOAR and because Splunk SOAR is robust and efficient, we are already using it, and we have understood the product to a certain extent, I feel we are personally more enticed to use and scale it to a lot of business.
Overall, it is a good investment in order for an organization to stay compliant and stay secure from all the wild things happening. It is definitely a cost effective tool with some good features including correlation, log storage, reporting and dashboards. If a customer is looking for advanced set of features, then I would highly not recommend this.
Honestly, it's a bit of a love-hate thing. On one hand it's insanely powerful but on the other, the workflows can be a real headache. You need multiple hours to get comfortable with it.
We are able to automate almost every one of our use cases, even our threat-hunting, and threat intel procedures. We have 20+ playbooks and cover almost everything, even searching logs into Splunk, looking into TIP and external systems, enrichment, and collecting evidence for analysts; it can perform concurrent playbooks running.
I personally haven't reached the support team, however, the engineers never complained about the Arcsight support team. We had some issues with the tool in the past but every time we reached the support, all issues were resolved in a timely manner.
Multiple platforms are already supported by Arcsight. Support is good. Scripts can be used to get data from multiple threat intel sources & the same can be used in correlation rules to detect any suspicious activity. Reporting features are good & you can check any backdated information within new clicks.
Splunk Phantom integrates well with Splunk ES and has many integrations. One thing that I liked about XSOAR as compared to Phantom is that it has an "app-store" where you can download not only app integrations (similar to Phantom) but Playbooks and dashboards as well.
Logger helps us to decrease incident response times.
It also decreased our project times with the man/day calculations. Before this solution, it may take up to 10 men/days to do something. After this, it becomes nearly half of the time.
The playbooks are valuable. They are the core component. Being able to implement and build a code process to work through and scale out what we want to do is valuable
Before its use, analyzing each email would take at least 15 to 20 minutes, with some complex cases taking up to 30 minutes...With the automation provided by Splunk Phantom, we could significantly reduce the amount of time and human effort required to complete this task
