Splunk® Enterprise Security

Use Splunk Enterprise Security

Automate your investigation response with actions and playbooks in Splunk Enterprise Security

Splunk Enterprise Security uses security orchestration and automation functionality provided by Splunk SOAR (Cloud). You can automate your security workflows in Splunk Enterprise Security by running actions and playbooks that you created in Splunk SOAR (Cloud). To customize playbook action workflows, you can also respond to prompts.

When you're working on an investigation in Splunk Enterprise Security, you can use the Automation tab to review the results of actions and playbooks set to run automatically on the investigation. You can also run playbooks and actions manually and review the results.

To use automation functionality in Splunk Enterprise Security, an admin must pair your Splunk Enterprise Security instance with your Splunk SOAR instance.

Use automation in Splunk Enterprise Security to complete the following tasks:

When you start an investigation with summary data in Splunk Enterprise Security, all active playbooks that operate on the investigation type for that investigation are triggered to run automatically.

Run a playbook

When you're working on an investigation in Splunk Enterprise Security you can use the Automation tab to run a playbook that you created in Splunk SOAR (Cloud) or a playbook included with Splunk Enterprise Security.

Prerequisite

Before you can run a playbook on an investigation, you must first create a playbook in Splunk SOAR (Cloud).

If you're creating a playbook that uses Splunk Enterprise Security data from investigations, use the Enterprise Security block. If your data doesn't come from Splunk Enterprise Security, use the Utility block. For more information on the Utility block, see Add functionality to your playbook in Splunk SOAR (Cloud) using the Utility block in the Splunk SOAR (Cloud) Build Playbooks with the Playbook Editor manual.

Steps

  1. Select an investigation from the Analyst queue on the Mission Control page in Splunk Enterprise Security.
  2. Select the Automation tab.
  3. Select Run playbook.
  4. Locate and select the playbook that you want to run from the list.
  5. Select Run playbook.

After you run a playbook, you can view the playbook details by selecting the entry in the list of automation history on the Automation tab.

Run an action

When you're working on an investigation in Splunk Enterprise Security, you can use the Automation tab to run an action. With the SOAR Community Edition license, you can run up to 100 actions per day in Splunk Enterprise Security. To upgrade to unlimited actions, contact your account manager.

Prerequisite

Before you can run actions on an investigation, you must configure apps in Splunk SOAR (Cloud).

Steps

  1. Select an investigation from the Analyst queue on the Mission Control page in Splunk Enterprise Security.
  2. Select the Automation tab.
  3. Select Run Action.
  4. Run an action by following these steps in any order:
    1. Select the App that you want to use to run the action.
    2. Select the Action that you want to run from the list.
  5. Add the required information for your app and action to configure the action.
  6. Select Run Action.

After you run an action, you can view the action details by selecting the entry in the list of automation history on the Automation tab.

Review playbook and action results

After a playbook or action runs, you can view the results from the list of automation history on the Automation tab of an investigation. Each entry represents an app with actions run on the investigation. You can select an entry to view more details about the action or playbook run.

Follow these steps to review the results of an action or playbook:

  1. Select an investigation from the analyst queue on the Mission Control page in Splunk Enterprise Security.
  2. Select the Automation tab.
  3. From the list of automation history, select an action or playbook run that you want to learn more about. You can search for a particular playbook or action run by name, filter runs with the Show drop-down list, and sort runs with the Sort drop-down list.
    1. (Optional) Some entries default to a table view while others default to a map view. You can view the action or playbook run details by the default visual format, or you can switch to a JSON format. To switch from either a map or a table view to a JSON format view, select the JSON source code icon ( JSON source code icon ).

      You can only review failed action and playbook runs with the JSON format view.

    2. (Optional) Select the download icon ( download JSON output icon ) to download the JSON output for the action or playbook run.
    3. (Optional) For playbook runs, select Open Playbook to view the associated playbook in Splunk SOAR (Cloud).

Stop a playbook run in progress

You can stop a playbook run while it's in progress for an investigation in Splunk Enterprise Security. If you stop a playbook, you lose any progress made on the playbook run. You must rerun the playbook to complete any actions in the playbook.

Follow these steps to stop a playbook run for an investigation:

  1. Select the investigation from the analyst queue on the Mission Control page in Splunk Enterprise Security.
  2. Select the Automation tab.
  3. From the list of automation history, locate the playbook run that you want to stop and select the cancel ( x ) icon.
  4. Select Stop playbook run to confirm that you want to stop it.

Set up actions and playbooks to run with response plan tasks

You can automate your response by setting up actions and playbooks to run with a specific response plan task in Splunk Enterprise Security. Setting up an action or playbook to run on a task might be helpful for analysts who prefer to add tasks or response plans as they undergo their investigation. For example, if you want a response plan to automatically add a new phase at the completion of a task, you can set up a playbook to run with that response plan task.

To set up an action or playbook to run with a response plan task, complete the following steps:

  1. In Splunk Enterprise Security, select Security content and then Response plans.
  2. Open an existing response plan, or create a new one.
  3. Expand the phase you want to edit, or select + Phase.
  4. Expand the task you want to edit, or select + Task.
  5. To set up an action to run with a response plan task, complete the following steps:
    1. Expand the Actions section.
    2. Select + Action.
    3. Select the App that you want to use to run the action.
    4. Select the Action that you want to run from the list.
    5. Add the required information for your app and action to configure the action.
    6. Select Submit.
  6. To set up a playbook to run with a response plan task, complete the following steps:
    1. Expand the Playbooks section.
    2. Select + Playbook.
    3. Locate and select the playbook that you want to run from the list.
    4. Select Submit.
  7. (Optional) To remove an action or playbook run from a response plan task, select the remove icon ( remove icon ) next to the respective action or playbook.
  8. Toggle the Status switch to Published, and select Save changes to publish the response template. You can only add published response plans to investigations.

After you set up an action or playbook to run with a response plan task, you can find the status of the action or playbook, such as Failed or Completed, by selecting the task in the Response tab of an investigation.

Delegate or respond to a prompt

A prompt is a checkpoint that determines a playbook action workflow based on a user's response in Splunk Enterprise Security. Respond to a prompt to change or confirm the next playbook action, or delegate the prompt to another user.

For example, if a playbook locks an account for suspicious login attempts, a prompt block can pose the question "Do you want to lock this user's account?" to an analyst before running the action. To delegate or respond to a prompt, complete the following steps:

  1. Select an investigation from the Analyst queue in Splunk Enterprise Security.
  2. Select the Automation tab.
  3. Select Prompts. The badge represents the number of prompts assigned to you that you haven't responded to yet.
  4. Find the prompt you want to delegate or respond to and select View.

    You can only view a prompt if you are the owner of that prompt.

  5. Review the prompt details such as the deadline, the associated playbook, and the message.
  6. If you want to respond to the prompt, answer the question. Some prompts are informational only and do not include questions. If the prompt does not include a question, continue to the next step.
  7. If you want to assign the prompt to another user, select the Delegate check box.
    1. Select a user or role from the drop-down list to delegate the prompt to.
    2. Enter a reason for delegating the prompt so that the receiving user understands why you're assigning it to them.
  8. Select Submit.

After you delegate or respond to a prompt, the status and response for that prompt updates. If the status is Approved, for example, the playbook runs the succeeding action. If the status is Delegated, the reason for delegation appears as the response.

See also

For more details on automating your investigation response in Splunk Enterprise Security, see the product documentation:

Last modified on 27 September, 2024
Add events to an investigation in Splunk Enterprise Security   Analyze risk with risk-based alerting in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters