Splunk SOAR User Guide
Updated 7 months ago
by
Steven Chamales
Setup:
TruSTAR setup + workflow setup.
Setup TruSTAR App for SOAR.
Refresh playbook list to pull from Community repo.
Confirm TruSTAR App Asset that the "trustar_enrich_indicators" playbook will use (default=trustar).
Change both playbooks from Community -> Local (Save As)
Confirm / update Prompt username
Set threat_intel_investigate playbook to "active".
References
Use-Cases: Overview.
The Splunk SOAR<>TruSTAR app is intended to be used to achieve 3 use-cases:
- Use TruSTAR indicator enrichment to manually apply SOAR tags to a SOAR container's indicators that will be used to drive subsequent actions by subsequent playbooks.
- Automate actions based on an indicator's TruSTAR Priority Score.
- Triage phishing emails.
The Challenges.
Challenge | Description | Old way | New way |
Rapid manual response selection. | - most SOAR users manually select responses - only most-advanced fully automate response off of intel.
- currently no way to rapidly iterate over an investigation's (or phishing email's) indicators, see the indicator's enrichment, and specify processing instructions for that indicator.
| - build ETL logic playbook to fetch all enrichment about the observable from all the intel sources.
- normalize all the sources' scores / attributes / properties to a common scale.
- paste the enrichment to the tickets as notes.
- Look at one note at a time.
- review several notes about each observable.
- navigate to that observable in the artifacts list.
- a few clicks later, select some other playbooks to run on that observable.
| - run the playbooks we built for you.
- Use the Indicator Processing UI.
- done.
|
Multi-Source Intel-Driven Automation | - TABLE STAKES:
- MULTI-SOURCE INTEL MUST BE AGGREGATED & NORMALIZED TO COMMON SCALE / MODEL FIRST.
- No standard intelligence industry datamodel.
- Many intel producers, many formats, many datamodels, many scoring scales, many different fieldnames for the same datapoint, many constantly-changing APIs.
| - define your datamodel & scoring scales.
- learn intel sources' datamodels and scoring scales.
- map intel sources' datamodels + scoring scales to yours.
- build playbooks to:
- extract intel from sources.
- normalize intel to your datamodel.
- use your normalized intel to trigger automated response playbooks.
| - configure TruSTAR.
- configure TruSTAR app for SOAR.
- use the trustar_indicator_reputation action's output to trigger automated response playbooks.
|
Investigation enrichment notes. | | | - read markdown-formatted indicator enrichment notes.
|
Value-proposition.
How do this app + playbooks help streamline your workflows?
<Value Prop> <Capability> | Without this app + playbooks | With this app + playbooks.... | Example |
Manual Indicator Response Manual Indicator Processing Manual Indicator Review & Processing | - must aggregate + normalize intel from all enrichment sources in playbook.
| - TruSTAR enrichment native to Splunk SOAR's gold-standard manual indicator response playbook.
| - aggregate intel from sources - manually block them across all perimeter tools. - manually safelist |
Automated Response | Must build playbook that aggregates + normalizes intel from all enrichment sources. | Playbook only needs to call TruSTAR to fetch enrichment; TruSTAR has already aggregated, normalized, prioritized, prepared the intel. | |
Phishing Event Prioritization | | | SINT is native part of standard SOAR playbook you can use. |
Use-cases: Relationships.
Use-cases for this app | Associated TruSTAR use-cases | Associated SOAR Community Playbooks |
Manual Indicator Response | | - threat_intel_investigate
- calls: trustar_enrich_indicators
|
Automated Response | | |
Phishing Triage | | |
Use-Cases: How-to.
Manual Indicator Response.
- Build playbooks that accept SOAR container's indicators as input, and perform actions based on their tags.
- Add tags to a container's indicators while viewing enrichment about the indicator by running the threat_intel_investigate playbook on the container.
- Run playbooks from step 1 that cue off the tags you created during step 2.
Automated Response.
- Build playbook that uses "indicator reputation" action to
Phishing Triage.
Playbooks:
Metadata. | How it works. |
threat_intel_investigateTrigger: - run manually when ready to process a container's indicators.
- This is a user-interaction-required playbook.
Input: - a single SOAR container (even / investigation)
Associated Use-cases: - Manual Indicator Response
| - collects list of indicator enrichment playbooks
- "investigate" AND "threat_intel" tags
- "trustar_enrich_indicators"
- collects indicators from SOAR container.
- run each indicator-enrichment playbook (from step 1)
- "trustar_enrich_indicators"
- any other enrichment playbooks you've built.
- input: array of indicators.
- does: enrichment / lookup / reputation.
- returns: enrichment note for each indicator
- aggregate notes from sub-playbooks (step 3), post them to the container.
- show prompt for each indicator:
- display enrichment notes.
- user input: manually add tags to indicator while looking at the indicator's enrichment.
- - - -- [ PUT SCREENSHOT OF PROMPT HERE] - - -- - - use tags (from step 5) to drive response in separate response playbooks.
|
trustar_enrich_indicators Inputs: - array of indicator values from a parent playbook.
Associated Use-Cases: - Manual Indicator Response
- Automated Response
| - for each indicator:
- fetch enrichment from TruSTAR
- action: indicator_reputation
app: TruSTAR
- Apply TruSTAR priority score for each indicator as a tag to the SOAR container's indicator object.
- format an enrichment note.
- - - - - [PUT SCREENSHOT OF ENRICHMENT NOTE HERE] - - - - - - return all enrichment notes to the parent playbook
|
response | - for each indicator:
- if has tag "X":
- do:
- thing you want done.
- another thing you want done.
- another thing you want done.
|
Actions
Indicator Reputation | |
Parse Entities | |
