Splunk Phantom Review

Very stable with a straightforward setup and good performance

What is our primary use case?

We are doing some automation on the SIM and we are getting some SIMS and we are looking for some automation to improve the security environment. That's how we are currently using Splunk.

What is most valuable?

Comparing this product to other SOAR tools, most of the items are the same, however, the UI of Phantom is pretty good if you compare it against other SOAR tools.

The work formation and the templates based on some use cases all look good.

The product is very easy to use and has a very good user experience.

The solution is very stable.

The initial setup is pretty straightforward.

We've found the written documentation to be excellent.

The performance is very good.

We've found the solution has recently improved its UI.

The customization continues to be excellent.

What needs improvement?

In the beginning, we couldn't find any specific documents for every function. It wasn't easy to navigate to what we needed. However, lately, it has improved and we are able to find Splunk documents for all the functionalities of Phantom. 

It would be helpful, on the other hand, if there were videos regarding each functionality. That would make it even easier to work with Phantom. We are able to find some documentation in written form, and that's fine. If it is in a video format, then it would be better due to the fact that, in some environments, we find some other issues or something and it would be nice to have a visualization of the process.

The solution is a bit more expensive than other offerings.

I'd recommend that the solution add some new apps, or some average services, like bots or G-Suite. We may already have G Suite in Phantom. Bots, like any common VPN service, would be great, however.

For how long have I used the solution?

I've used the solution for about one year or so. It hasn't been an extremely long amount of time just yet.

What do I think about the stability of the solution?

We haven't had any stability issues at all. It doesn't crash or freeze. It's not buggy. There aren't glitches that I've seen. It seems very stable and very reliable. 

We have had an issue related to the firewall. However, that had nothing to do with Splunk directly.

What do I think about the scalability of the solution?

We have five or six individuals that handle Phantom at any given time, as needed.

We didn't try to scale Splunk due to the fact that we already have a VM and we are working on that. We don't use Phantom too much as we have some community license. Based on the license, we are running simple actions only, and therefore we are not giving that much of a workload to Phantom.

How are customer service and technical support?

I haven't been in contact with technical support at all. I can't speak to their responsiveness or how helpful they would be.

That said, some of my colleagues have done a boot camp with technical support, and they likely have had contact. I haven't heard of anything negative.

Which solution did I use previously and why did I switch?

I didn't previously use a different tool. This is my first SOAR tool. I've also used Demisto. These are the two tools that I have and that I currently work with.

It's my understanding, from a customer's perspective, that the better solution is Demisto based on licensing costs, however, in terms of the performance and efficiency involved, it's Phantom. Phantom is a bit more expensive in general.

How was the initial setup?

The initial set up seems pretty easy. While I didn't personally handle any part of it, it's my understanding that it's not a big issue to implement everything. We were able to install the file easily. It was straight forward. When we were handling the clustering part, it was a little difficult as we had some license issues. We need a license to get that clustering part set up. It would be ideal if they offered at least a trial license so that we could see how it works and the formation, etc. Right now, without any license, we aren't able to do this clustering part.

I'm unsure as to how maintenance is handled on the solution. I believe we need to handle it manually as we did not install any bot that would handle anything. There may be alternative workarounds in newer versions.

What about the implementation team?

I'm not working deeply on Phantom. In fact, I'm concentrating more on SIM. My colleagues are the ones working on Phantom. Therefore, I'm not sure if we actually had outside assistance or handled everything internally.

What's my experience with pricing, setup cost, and licensing?

We use a community license. We don't have to pay for any actual licensing. However, the solution, when you have a paid version, is quite costly. That said, in terms of performance, it's worth the extra cost. Also, it's my understanding that everything is included in the licensing cost, once you pay for the product. There aren't any added fees.

What other advice do I have?

We have a business relationship with Splunk. We're partners.

We're using the solution on our VM and also on our database cloud.

I'd recommend the solution to other organizations. Compared to other products, Phantom seems to be easy to use and the ability to customize is high. Compared to the older version, the newer version is very customizable. We can very easily create custom functions. The UI looks good and is also improved. 

I would rate the solution eight out of ten.

Which deployment model are you using for this solution?

Private Cloud

Which version of this solution are you currently using?

**Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Learn what your peers think about Splunk Phantom. Get advice and tips from experienced pros sharing their opinions. Updated: February 2021.
465,623 professionals have used our research since 2012.
Add a Comment