We performed a comparison between Palo Alto Networks Cortez XSOAR and Splunk Phantom based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Both solutions come across as reliable and powerful products. Cortex does slightly better in the Pricing category, however.
"The product can integrate with any device."
"The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user."
"The main benefit is the ease of integration."
"We didn't have anything similar. So, it really provides value from the incidents and automation point of view. The overview of the security fabric is most valuable."
"Mainly, this is a cloud-native product. So, there are zero concerns about managing the whole infrastructure on-premises."
"We’ve got process improvement that's happened across multiple different fronts within the organization, within our IT organization based on this tool being in place."
"It has basic out-of-the-box integrations with multiple log sources."
"We are able to deploy within half an hour and we only require one person to complete the implementation."
"We use the solution to automate our SIEM tools and incidents."
"The Palo Alto ecosystem has a marketplace offering integration with Sentinel or other products."
"The automation part and the playbook creation part are awesome. The way it is responding to the customers and incidents is also very good. In the SOC environment, I guess it will carry out around 50% of the work."
"They have a portal where you can find any kind of integration that you need."
"Many different playbooks are available and can be customized."
"For organizations that are stable with their security operations, like those with around 50 members in their security team running full-phased operations 24/7, Cortex is necessary."
"The solution is very reliable."
"It is a scalable solution."
"When you design a playbook, you can integrate multiple log sources and define rules... After that, the platform automatically compiles all these activities and, based on the results, the analyst only has to indicate whether the result is a true or false positive. That reduces the time and effort involved."
"The most valuable feature of Splunk SOAR that stands out is it has a great SOAR. The automation and orchestration module is highly mature. A lot of use cases are on user entity and behavioral analytics (UEBA), which is artificial intelligence and machine learning-based (AIML)."
"The solution allows us to customize playbooks and incorporate custom code, allowing us to drag and drop elements while still writing code to build the integrations we need."
"The most valuable features of Splunk SOAR are the easy integration with other solutions, including other Splunk solutions. The most important playbooks we need on the market come already on the Frontend. However, nowadays, Splunk changed its name, it's not Frontend anymore, it's Splunk Store. This is a very strong point."
"Splunk SOAR's quick response to incidents is the most valuable part."
"The most valuable feature is the risk-based access control."
"The customizable playbook is the most valuable aspect of the solution."
"The playbooks are valuable. They are the core component. Being able to implement and build a code process to work through and scale out what we want to do is valuable."
"They can work on the EDR side of things... Every time we need to onboard these kinds of machines into the EDR, we need to do it with the help of Intune, to sync up the devices, and do the configuration. I'm looking for something on the EDR side that will reduce this kind of work."
"If I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details."
"The troubleshooting has room for improvement."
"They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us."
"Everyone has their favorites. There is always room for improvement, and everybody will say, "I wish you could do this for me or that for me." It is a personal thing based on how you use the tool. I do not necessarily have those thoughts, and they are probably not really valuable because they are unique to the context of the user, but broadly, where it can continue to improve is by adding more connectors to more systems."
"Sentinel's alerts and notifications are not fully optimized for mobile devices. The overall reporting and the analytics processes for the end user should also be improved. Also, the compatibility and availability of data sources and reports are not always perfect."
"They should just add more and more out-of-the-box connectors. It is quite a new product, and it has a lot of connectors, and even more would be good."
"If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement."
"Previously, when Demisto was, there was a community edition; we could use it, reinstall it, and customize it. Since Palo Alto took over, it has become more financially oriented. It's business, but they could offer a pro model and a lighter model for different needs."
"The solution's correlation rules and playbooks should be improved."
"The solution should be made a bit cheaper."
"The configuration of the solution could improve it is difficult."
"It's only one cloud right now. It might be helpful for some companies to have an on-premies option."
"Corex XSOAR could be improved by reducing the time it takes to process large amounts of data and increasing the number of integrations."
"Its dashboard features need improvement."
"I would like to see Cortex become less dependent on Active Directory and group policies to manage the deployment. Maybe I need to update my understanding of how to deploy it, but that's the way I know how to use it."
"In the beginning, we couldn't find any specific documents for every function. It wasn't easy to navigate to what we needed."
"The application does not work properly and does not pass the log-based configuration. I feel that some kind of review should happen in the application. This review should validate things so that we can get the right information. Splunk does not tell us where the IP address is associated with."
"The algorithm and machine learning have room for improvement and can be more user-friendly."
"The Splunk SOAR platform was not designed specifically for case management which is why this area needs improvement."
"Splunk's support for integration is subpar and has room for improvement."
"There is a lot of room for improvement with the UI."
"SOAR is probably the most unreliable product Splunk has and that's because most of it is content driven from what you put into it. There are certain parts of it that have a little bit of difficulty at volume too. It's always changing. There is new stuff coming out for it that's going to make it a little bit better, but it does have some drawbacks."
"Creating playbooks using the solution’s playbook editor, for me, is very cumbersome. There have been instances where I have said to myself that I just don't want to use this editor. I might just use a code block and write my own code within it... The functionality in the playbook editor is 80 percent there, but that 20 percent is still lacking. They could make it more efficient."
More Palo Alto Networks Cortex XSOAR Pricing and Cost Advice →
Palo Alto Networks Cortex XSOAR is ranked 2nd in Security Orchestration Automation and Response (SOAR) with 42 reviews while Splunk SOAR is ranked 3rd in Security Orchestration Automation and Response (SOAR) with 32 reviews. Palo Alto Networks Cortex XSOAR is rated 8.4, while Splunk SOAR is rated 8.0. The top reviewer of Palo Alto Networks Cortex XSOAR writes "Enables the investigators to go through the review process a lot quicker". On the other hand, the top reviewer of Splunk SOAR writes "Takes most of the work away, but the time they take to implement new features is a little bit of concern". Palo Alto Networks Cortex XSOAR is most compared with Cortex XSIAM, Fortinet FortiSOAR, Swimlane, ServiceNow Security Operations and IBM Resilient, whereas Splunk SOAR is most compared with Cortex XSIAM, ServiceNow Security Operations, Torq, Swimlane and Siemplify. See our Palo Alto Networks Cortex XSOAR vs. Splunk SOAR report.
See our list of best Security Orchestration Automation and Response (SOAR) vendors.
We monitor all Security Orchestration Automation and Response (SOAR) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
I would recommend CyberSponse. There is a reason why CyberSponse have been awarded Government and Military contracts over all the competition! Commerical customers need the same power and capability, why settle for anything less!