Get started with the Risk Notable Playbook Pack for Splunk SOAR
This collection of playbooks and workbooks guides analysts through investigations of risk notables within Splunk SOAR. Risk notables are aggregates of risk anomalies within Splunk Enterprise Security. See Analyze risk in Splunk Enterprise Security in the Use Splunk Enterprise Security manual. As an analyst, learn how to use the workbooks, understand the playbooks, and explore customizing the playbooks.
The playbook pack must be used with the latest release of Splunk Security Content.
Check prerequisites for the playbook pack
Before you use the playbook pack, verify that you have these dependencies:
- Splunk SOAR (Cloud) or (On-premises)
- Splunk Enterprise Security with assets and identities. See Manage assets and identities in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.
- Splunk Enterprise Security with the risk analysis framework producing risk notables. See Analyze risk in Splunk Enterprise Security in the User Splunk Enterprise Security manual.
- Notables you produce from Splunk Enterprise Security must include these fields:
risk_objectevent_idinfo_min_timeinfo_max_time
- Use one of these apps from Splunkbase to bring Splunk Enterprise Security notable events into Splunk SOAR (Cloud) or (On-premises):
- Splunk App for SOAR Export. Configure the multivalue field settings of Splunk App for SOAR Export to consolidate events into a single artifact. See About the Splunk App for SOAR Export and Configure how Splunk Phantom and Splunk SOAR handle multivalue fields in Splunk ES notable events in the Use the Splunk App for SOAR Export to Forward Events manual.
- Splunk App for SOAR. Use this query in the on poll settings to find notable events in the correct fields:
`notable` | search eventtype=risk_notables | fields _time, event_hash, event_id, host, info_min_time, info_max_time, risk_object, risk_object_type, risk_score, rule_description, rule_id, rule_name, search_name, source, splunk_server, urgency
- Splunk Enterprise Security with assets and identities (optional). See Manage assets and identities in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual. The
splunk_enterprise_security_tag_assets_and_identitiesplaybook relies on this framework, and therisk_notable_auto_containmentplaybook uses resulting tags.
Deploy the playbook pack
Verify these deployment steps are done before you use the playbook pack:
- Because the playbook pack follows a five-point scale of severity based on Splunk Enterprise Security, a Splunk SOAR admin must add the severity levels "Critical" and "Informational" to the default severities of "High," "Medium," and "Low." See Create custom severity names in the Administer Splunk SOAR (Cloud) manual.
- Because the playbook pack uses the
risk_notablelabel based on event types with the same names within Splunk Enterprise Security, a Splunk SOAR admin must add therisk_notablelabel. See Create a label in the Administer Splunk SOAR (Cloud) manual. - Configure the base URL for Splunk SOAR.
- (Recommended step.) Copy all playbooks to a repository other than
community, likelocal. See Configure a source control repository for your Splunk SOAR (Cloud) playbooks in the Administer Splunk SOAR (Cloud) manual. Update the matching sub-playbook calls to reference the correct repository, as well as the references in workbooks. - If your Splunk asset on SOAR is not called splunk, change the asset name in the playbook to match the name of your Splunk asset.
- Splunk Web is configured on a port other than 443, like 8000, then includes the specified port directly after the hostname in these items:
- The block "format es url" in the
risk_notable_preprocessplaybook - The block "format summary note" in the
risk_notable_import_dataplaybook
- The block "format es url" in the
Find playbooks in Splunk SOAR
To locate the playbooks from the playbook pack in Splunk SOAR (Cloud) or (On-premises), follow these steps:
- From the Splunk SOAR (Cloud) or (On-premises) menu, select Playbooks.
- Select Update from Source Control > community > Update.
- Filter the Category column to Risk Notable to see all core playbooks.
- Filter the Tags column to risk_notable to see all utility playbooks.
- (Recommended step.) Copy the playbooks to the local repository so you can customize them.
Workbooks in the pack
Workbooks are guided analyst workflows with phases and tasks that can recommend actions and playbooks. This pack includes three workbooks.
| Workbook | Description | Phase | Tasks | Workbook playbooks | Suggested playbooks |
|---|---|---|---|---|---|
| Risk Investigation | Guide the analyst from taking ownership of an investigation through rendering a verdict and selecting a response plan. | Initial Triage | Preprocess Investigate Render Verdict |
risk_notable_investigate
|
risk_notable_preprocess
|
| Risk Response | Follow tasks to review suspect indicators, then select assets and users that need protection. | Mitigate | Block Indicators Protect Assets and Users |
risk_notable_mitigate
|
risk_notable_review_indicators
|
| Risk Recovery | Respond to confirmed incidences by documenting clean-up steps and closing out investigations. | Restore operations | Eradicate threats Undo containments Close investigations |
N/A | risk_notable_auto_undo_containment
|
| Configure Splunk Enterprise Security to use the Machine Learning Toolkit | See descriptions of playbooks in the Risk Notable Playbook Pack |
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0
Download manual
Feedback submitted, thanks!