Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

See descriptions of playbooks in the Risk Notable Playbook Pack

The descriptions of playbooks included in this playbook pack are in this table:

Name Description Additional information
risk_investigate This playbook checks for the Risk Investigation workbook, updates tasks, and takes notes. Set this playbook to run in Active mode on the Risk Notable label in Splunk SOAR.


To configure this playbook to automatically add notes, see the Playbook outputs section of Use the risk notable playbook pack to investigate a risk notable in Splunk SOAR.

risk_notable_auto_investigate This playbook implements an auto-investigate workflow based on a user-defined risk threshold. A playbook designed to replace risk_investigate for organizations looking to adopt a response-first approach.


The risk threshold defaults to 250 and should be adjusted as needed.

risk_mitigate This playbook checks for the presence of the Risk Response workbook and updates tasks or leaves generic notes. The risk_notable_verdict playbooks recommend this playbook as a second phase of an investigation. You can also use this playbook in ad-hoc investigations or incorporate it into custom workbooks. To configure this playbook to automatically add notes, see the Playbook outputs section of Use the risk notable playbook pack to investigate a risk notable in Splunk SOAR.
risk_notable_preprocess This playbook prepares a risk notable for investigation by performing these tasks:
  1. Ensuring that a risk notable links back to the original notable event with a card pinned to the HUD.
  2. Posting a link to the relevant container in a comment field of Splunk Enterprise Security.
  3. Updating the relevant container's name, description, and severity to reflect the data in the notable artifact.
 For more information, see Deployment steps for using the playbook pack.
risk_notable_import_data This playbook gathers all of the events associated with the risk notable and imports them as artifacts. It also generates a custom markdown formatted note. The Splunk search used to locate contributing events requires three fields in the notable artifact: risk_object, iinfo_min_time, and info_max_time. The query also performs some deduplication on contributing events and may need to be adjusted based on individual Enterprise Security environments. Mitre Tactics and Techniques appear if using the annotation framework in Splunk ES. See Use security framework annotations in correlation searches in the Administer Splunk Enterprise Security manual.


A custom code block sorts the returned event data and produces a markdown formatted note into the note_content output field. This field is then available for use in downstream playbooks.

risk_notable_enrich This playbook collects the available Indicator data types within the event as well as available investigative playbooks. It will launch any playbooks that meet the filtered criteria. See Call child playbooks with the dynamic playbook system for more information on building or customizing a playbook for inclusion with risk_notable_enrich.
risk_notable_merge_events This playbook finds related events based on key fields in a risk notable and allows the user to process the results and decide which events to merge into the current investigation. Combining the list_merge utility within the playbook with the find_related_containers utility allows for fine-tuning of related event criteria. For example, the default filtering criteria uses description, risk_object, and threat_object as the important fields and requires at least three matches before an event is considered related. There are several options to customize the associated criteria, including adding more fields in list_merge, reducing or increasing the minimum match count, or utilizing the wildcard feature of find_related_containers.
risk_notable_auto_merge This playbook finds similar or duplicate events based on the risk_object field in a Risk Notable. If two or more events are found with no case, a case will be created with the current container. If a case is found, this container will be merged with the case. Unlike risk_notable_merge_events, this playbook will not prompt the user before merging. It will only consider events to be similar if they share the exact same value from the field called "risk_object."
risk_notable_verdict This playbook locates available playbooks with the responses_option tag and presents them to the analyst. Based on the analyst selection, it will launch its chosen playbook. Add response_option to any playbook that should show up in this prompt.
risk_notable_review_indicators This playbook was designed to be called by a user to process indicators that are marked as suspicious within the SOAR platform. Analysts will review indicators in a prompt and mark them as blocked or safe. See Indicator tagging system for more information about the blocking workflow.
risk_notable_block_indicators This playbook handles locating indicators marked for blocking and determining if any blocking playbooks exist. If there is a match to the appropriate tags in the playbook, a filter block routes the name of the playbook to launch to a code block. See Call child playbooks with the dynamic playbook system for more information on building or customizing a playbook for inclusion with risk_notable_protect_assets_and_users.


See Indicator tagging system for more information about the blocking workflow.

risk_notable_protect_assets_and_users This playbook attempts to find assets and users from the notable event and match those with assets and identities from Splunk ES. If a match was found and the user has playbooks available to contain entities, the analyst decides which entities to disable or quarantine. See Call child playbooks with the dynamic playbook system for more information on building or customizing a playbook for inclusion with risk_notable_protect_assets_and_users.
risk_notable_auto_containment Implements an auto-containment of available assets and identities found in artifacts with high risk scores or confirmed threats. Enable input playbooks that accept entities to be contained such as hosts or users.


Adjust artifact filter in import data as needed to select which artifacts are considered to contain entities that should be routed to containment.

risk_notable_auto_undo_containment This playbook gathers contained assets and identities from the container and sends them playbooks with "undo_containment" as well as "asset" or "identity" tags. Enable input playbooks that are designed to undo the actions performed by containment playbooks.
reset_entity_risk This playbook grabs all of the contributing risk_rules in the event that haven't had a risk score reset. It then posts negating risk scores to Splunk after prompting the user for a reason. If no risk rules are present, a comment will be left. This playbook is designed to be run on individual artifacts or on an entire container.


Splunk Enterprise Security administrators may wish to exclude the Splunk SOAR as a source of risk events in Risk Incident Rules. See Use default risk incident rules in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Last modified on 22 June, 2022
Get started with the Risk Notable Playbook Pack for Splunk SOAR   Understand the risk_notable_investigate playbook

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters