Simple automation development without necessity (but ability) to write code
February 23, 2022

Simple automation development without necessity (but ability) to write code

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom

Splunk SOAR is used to ingest alerts from Splunk searches and to enrich and automate actions based on the alerts. Splunk SOAR is integrated with many of our third-party apps in order to respond effectively to alerts. Enrichment is provided automatically based on certain indicator types while most response actions involve human interaction for approval.
  • Third-party integraton
  • Custom code
  • Simple GUI playbook development
  • Expensive
  • No built-in way to share playbooks or browse for playbooks developed by others
  • Avoiding repetitive tasks
  • Reduce time to resolution
  • Eases approval process by including relevant data about events
Phantom playbooks execute much quicker than the alternative which would require human intervention however they can take some time, even up to 10-15 minutes depending on playbook complexity and number of integrations. Occasionally, Phantom will slow down when processing a large number of events at once and running multiple playbooks on each event.
Phantom has the ability to automate many actions based on the assets integrated with it such as Active Directory, Office365, AWS, Azure, ServiceNow, VirusTotal, EDR products, etc. It is also possible to fairy easily create custom apps in Python to integrate with a any sources which may not exist in Phantom.
Splunk Phantom integrates well with Splunk ES and has many integrations. One thing that I liked about XSOAR as compared to Phantom is that it has an "app-store" where you can download not only app integrations (similar to Phantom) but Playbooks and dashboards as well.

Do you think Splunk SOAR delivers good value for the price?

Not sure

Are you happy with Splunk SOAR's feature set?


Did Splunk SOAR live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Splunk SOAR go as expected?


Would you buy Splunk SOAR again?


Phantom is suited for use cases where you have well-defined alerts and can take action based on some data available in the alerts. Some examples are reaching out to third-party tools via Phantom assets and performing some action such as data enrichment or a response action such as quarantining a host.