1. Home
  2. Security Orchestration, Automation and Response (SOAR) Tools
  3. Splunk SOAR Reviews
  4. User Review of Splunk SOAR
This is a review from a consultant not from a final user
Updated November 26, 2022

This is a review from a consultant not from a final user

Giuseppe Cusello | TrustRadius Reviewer
Score 10 out of 10
Vetted Review
Reseller

Overall Satisfaction with Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom

I'm a consultant in Splunk and SOAR implementing for our customers and I'm not a final user. The scope of my Use cases is intervened after an alert from SIEM. I tried to use Phantom, but it was difficult so I did the training about Phantom and now it's more clear.
  • Ingestion and analysis of data for security issues
  • possibility to perform automaticincident response actions
  • itpermits to SOC analysts to investigate and intervene on systems
  • The interface isn't immediate in comprehension, I had to follow a training to understand how it works
  • it's expensive: not all the customers can buy it!
  • It needs PostgreSQL as DB, I'd like to have all inside Splunk also data.
  • Satisfy customers
  • Have an integrated solution for our proposal
  • Avoid the presence (as much as possible) of external products in security management
As I already said, when opportunity trained, it's very easy to use the Phantom interface in Playbook creation. In addition, it's useful to securely access every kind of system and automate all the automatable activities. At the same time, permits a straight control on both manual and automated operations. The number of events and systems to manage isn't so relevant: it's relevant only the number of automatable activities and/or the number of operators.
We are a Splunk Partner and I know Splunk Phantom, for this reason we usually propose it, but I don't deeply know other competitor products.

Do you think Splunk SOAR delivers good value for the price?

Not sure

Are you happy with Splunk SOAR's feature set?

Yes

Did Splunk SOAR live up to sales and marketing promises?

Yes

Did implementation of Splunk SOAR go as expected?

Yes

Would you buy Splunk SOAR again?

Yes

As I said, it's complicated to initially understand, but when a user understands its features and starts to use it, it's a fantastic platform for security incident response. I configured it for a customer that migrated its SOC from RSA to Splunk Enterprise Security. Now we're trying to propose it to another of our customer's SOC.

Using Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom

1 - I'm the only one involved in Phantom Consultancies activities
1 - I'm a Splunk Architect, an expert in Enterprise Security and a CISA
  • Support SIEM in data analysis
  • intervenes on systems after a security incident
  • Automate as many as possibile activities
  • Complete Splunk ES offering
  • Complete Splunk ES offerings
It's a fantastic product, even if a little expensive.

Evaluating Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom and Competitors

  • Product Features
  • Product Reputation
We're a Splunk Partners and we have a large knowledge about it in our organization, so we preferred to use a fully integrated SOAR product in out projects, the only limitation we encountered in the integrated offer is the high cost of it.
I don't change it!
Im satisfied by this product, We'd propose much more it with a lower price.

Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom Implementation

I already said that the main key insight is the knowledge of Phantom, so a detailed training for all the people involeved.
  • Implemented in-house
Yes - Analysis and requirements definition
Design,
Installation,
Configuration
Tuning
Change management was a minor issue with the implementation - It need a well done role definition to maintain a complete control on all the activities (manual and automated).
  • No relevant issues

Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom Training

  • Online training
I never followed an in-person training, I gave my evaluation based on the online training
I followed training for Phantom admins and it opened a world for me

Configuring Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom

Having a training it's well configurable
Always have a development environment to use for testing.
No - we have not done any customization to the interface
No - we have not done any custom code
No additional configurations or customizations

Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom Support

Splunk Support is always great! In addition the Community is very efficient and active.
ProsCons
Quick Resolution
Good followup
Knowledgeable team
Problems get solved
Kept well informed
No escalation required
Immediate help available
Support understands my problem
Support cares about my success
Quick Initial Response
None
No never, it's expensive!
No they didn't

Using Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom

Not immediate: it always requires a training.
ProsCons
Like to use
Relatively simple
Well integrated
Consistent
Quick to learn
Convenient
Feel confident using
Requires technical support
Lots to learn
  • Playbooks at first
  • External Systems access
  • Atomated activies configuration
  • All without training, non with training
  • Maybe installation

Splunk SOAR (Security Orchestration, Automation and Response), formerly Phantom Reliability

me and the customers I encountered found it flexible and scalable