Splunk SOAR User Guide

Updated 7 months ago by Steven Chamales

Setup:

TruSTAR setup + workflow setup.

Setup TruSTAR App for SOAR.

Refresh playbook list to pull from Community repo.

Confirm TruSTAR App Asset that the "trustar_enrich_indicators" playbook will use (default=trustar).

Change both playbooks from Community -> Local (Save As)

Confirm / update Prompt username

Set threat_intel_investigate playbook to "active".

References

Use-Cases: Overview.

The Splunk SOAR<>TruSTAR app is intended to be used to achieve 3 use-cases:

  1. Use TruSTAR indicator enrichment to manually apply SOAR tags to a SOAR container's indicators that will be used to drive subsequent actions by subsequent playbooks.
  2. Automate actions based on an indicator's TruSTAR Priority Score.
  3. Triage phishing emails.

The Challenges.

Challenge

Description

Old way

New way

Rapid manual response selection.

  • most SOAR users manually select responses - only most-advanced fully automate response off of intel.
  • currently no way to rapidly iterate over an investigation's (or phishing email's) indicators, see the indicator's enrichment, and specify processing instructions for that indicator.

  • build ETL logic playbook to fetch all enrichment about the observable from all the intel sources.
  • normalize all the sources' scores / attributes / properties to a common scale.
  • paste the enrichment to the tickets as notes.
  • Look at one note at a time.
  • review several notes about each observable.
  • navigate to that observable in the artifacts list.
  • a few clicks later, select some other playbooks to run on that observable.

  • run the playbooks we built for you.
  • Use the Indicator Processing UI.
  • done.

Multi-Source Intel-Driven Automation

  • TABLE STAKES:
    • MULTI-SOURCE INTEL MUST BE AGGREGATED & NORMALIZED TO COMMON SCALE / MODEL FIRST.
  • No standard intelligence industry datamodel.
  • Many intel producers, many formats, many datamodels, many scoring scales, many different fieldnames for the same datapoint, many constantly-changing APIs.
  • define your datamodel & scoring scales.
  • learn intel sources' datamodels and scoring scales.
  • map intel sources' datamodels + scoring scales to yours.
  • build playbooks to:
    • extract intel from sources.
    • normalize intel to your datamodel.
    • use your normalized intel to trigger automated response playbooks.
  • configure TruSTAR.
  • configure TruSTAR app for SOAR.
  • use the trustar_indicator_reputation action's output to trigger automated response playbooks.

Investigation enrichment notes.

  • read markdown-formatted indicator enrichment notes.

Value-proposition.

How do this app + playbooks help streamline your workflows?

<Value Prop>

<Capability>

Without this app + playbooks

With this app + playbooks....

Example

Manual Indicator Response

Manual Indicator Processing

Manual Indicator Review & Processing

  • must aggregate + normalize intel from all enrichment sources in playbook.

  • TruSTAR enrichment native to Splunk SOAR's gold-standard manual indicator response playbook.

- aggregate intel from sources

- manually block them across all perimeter tools.

- manually safelist

Automated Response

Must build playbook that aggregates + normalizes intel from all enrichment sources.

Playbook only needs to call TruSTAR to fetch enrichment; TruSTAR has already aggregated, normalized, prioritized, prepared the intel.

Phishing Event Prioritization

SINT is native part of standard SOAR playbook you can use.

Use-cases: Relationships.

Use-cases for this app

Associated TruSTAR use-cases

Associated SOAR Community Playbooks

Manual Indicator Response

  • threat_intel_investigate
    • calls: trustar_enrich_indicators

Automated Response

Phishing Triage

Use-Cases: How-to.

Manual Indicator Response.
  1. Build playbooks that accept SOAR container's indicators as input, and perform actions based on their tags.
  2. Add tags to a container's indicators while viewing enrichment about the indicator by running the threat_intel_investigate playbook on the container.
  3. Run playbooks from step 1 that cue off the tags you created during step 2.
Automated Response.
  1. Build playbook that uses "indicator reputation" action to

Phishing Triage.

Playbooks:

Metadata.

How it works.

threat_intel_investigate

Trigger:

  • run manually when ready to process a container's indicators.
    • This is a user-interaction-required playbook.

Input:

  • a single SOAR container (even / investigation)

Associated Use-cases:

  • Manual Indicator Response
  1. collects list of indicator enrichment playbooks
  • "investigate" AND "threat_intel" tags
  • "trustar_enrich_indicators"
  1. collects indicators from SOAR container.
  2. run each indicator-enrichment playbook (from step 1)
    1. "trustar_enrich_indicators"
    2. any other enrichment playbooks you've built.
  • input: array of indicators.
  • does: enrichment / lookup / reputation.
  • returns: enrichment note for each indicator
  1. aggregate notes from sub-playbooks (step 3), post them to the container.
  2. show prompt for each indicator:
  • display enrichment notes.
  • user input: manually add tags to indicator while looking at the indicator's enrichment.

-

-

-

--

[ PUT SCREENSHOT OF PROMPT HERE]

-

-

--

-

  1. use tags (from step 5) to drive response in separate response playbooks.

trustar_enrich_indicators

Inputs:

  • array of indicator values from a parent playbook.

Associated Use-Cases:

  • Manual Indicator Response
  • Automated Response
  • for each indicator:
    • fetch enrichment from TruSTAR
      • action: indicator_reputation
        app: TruSTAR
    • Apply TruSTAR priority score for each indicator as a tag to the SOAR container's indicator object.
    • format an enrichment note.

-

-

-

-

-

[PUT SCREENSHOT OF ENRICHMENT NOTE HERE]

-

-

-

-

-

  • return all enrichment notes to the parent playbook

response

  • for each indicator:
    • if has tag "X":
      • do:
        • thing you want done.
        • another thing you want done.
        • another thing you want done.

Actions

Indicator Reputation

Parse Entities


How Did We Do?