See descriptions of playbooks in the Risk Notable Playbook Pack
The descriptions of playbooks included in this playbook pack are in this table:
Name | Description | Additional information |
---|---|---|
risk_investigate
|
This playbook checks for the Risk Investigation workbook, updates tasks, and takes notes. | Set this playbook to run in Active mode on the Risk Notable label in Splunk SOAR.
|
risk_notable_auto_investigate
|
This playbook implements an auto-investigate workflow based on a user-defined risk threshold. | A playbook designed to replace risk_investigate for organizations looking to adopt a response-first approach.
|
risk_mitigate
|
This playbook checks for the presence of the Risk Response workbook and updates tasks or leaves generic notes. The risk_notable_verdict playbooks recommend this playbook as a second phase of an investigation. You can also use this playbook in ad-hoc investigations or incorporate it into custom workbooks.
|
To configure this playbook to automatically add notes, see the Playbook outputs section of Use the risk notable playbook pack to investigate a risk notable in Splunk SOAR. |
risk_notable_preprocess
|
This playbook prepares a risk notable for investigation by performing these tasks:
|
For more information, see Deployment steps for using the playbook pack. |
risk_notable_import_data
|
This playbook gathers all of the events associated with the risk notable and imports them as artifacts. It also generates a custom markdown formatted note. | The Splunk search used to locate contributing events requires three fields in the notable artifact: risk_object , iinfo_min_time, and info_max_time . The query also performs some deduplication on contributing events and may need to be adjusted based on individual Enterprise Security environments. Mitre Tactics and Techniques appear if using the annotation framework in Splunk ES. See Use security framework annotations in correlation searches in the Administer Splunk Enterprise Security manual.
|
risk_notable_enrich
|
This playbook collects the available Indicator data types within the event as well as available investigative playbooks. It will launch any playbooks that meet the filtered criteria. | See Call child playbooks with the dynamic playbook system for more information on building or customizing a playbook for inclusion with risk_notable_enrich. |
risk_notable_merge_events
|
This playbook finds related events based on key fields in a risk notable and allows the user to process the results and decide which events to merge into the current investigation. | Combining the list_merge utility within the playbook with the find_related_containers utility allows for fine-tuning of related event criteria. For example, the default filtering criteria uses description, risk_object , and threat_object as the important fields and requires at least three matches before an event is considered related. There are several options to customize the associated criteria, including adding more fields in list_merge , reducing or increasing the minimum match count, or utilizing the wildcard feature of find_related_containers .
|
risk_notable_auto_merge
|
This playbook finds similar or duplicate events based on the risk_object field in a Risk Notable. If two or more events are found with no case, a case will be created with the current container. If a case is found, this container will be merged with the case.
|
Unlike risk_notable_merge_events , this playbook will not prompt the user before merging. It will only consider events to be similar if they share the exact same value from the field called "risk_object."
|
risk_notable_verdict
|
This playbook locates available playbooks with the responses_option tag and presents them to the analyst. Based on the analyst selection, it will launch its chosen playbook.
|
Add response_option to any playbook that should show up in this prompt.
|
risk_notable_review_indicators
|
This playbook was designed to be called by a user to process indicators that are marked as suspicious within the SOAR platform. Analysts will review indicators in a prompt and mark them as blocked or safe. | See Indicator tagging system for more information about the blocking workflow. |
risk_notable_block_indicators
|
This playbook handles locating indicators marked for blocking and determining if any blocking playbooks exist. If there is a match to the appropriate tags in the playbook, a filter block routes the name of the playbook to launch to a code block. | See Call child playbooks with the dynamic playbook system for more information on building or customizing a playbook for inclusion with risk_notable_protect_assets_and_users .
|
risk_notable_protect_assets_and_users
|
This playbook attempts to find assets and users from the notable event and match those with assets and identities from Splunk ES. If a match was found and the user has playbooks available to contain entities, the analyst decides which entities to disable or quarantine. | See Call child playbooks with the dynamic playbook system for more information on building or customizing a playbook for inclusion with risk_notable_protect_assets_and_users .
|
risk_notable_auto_containment
|
Implements an auto-containment of available assets and identities found in artifacts with high risk scores or confirmed threats. | Enable input playbooks that accept entities to be contained such as hosts or users.
|
risk_notable_auto_undo_containment
|
This playbook gathers contained assets and identities from the container and sends them playbooks with "undo_containment" as well as "asset" or "identity" tags. | Enable input playbooks that are designed to undo the actions performed by containment playbooks. |
reset_entity_risk
|
This playbook grabs all of the contributing risk_rules in the event that haven't had a risk score reset. It then posts negating risk scores to Splunk after prompting the user for a reason. If no risk rules are present, a comment will be left.
|
This playbook is designed to be run on individual artifacts or on an entire container.
|
Get started with the Risk Notable Playbook Pack for Splunk SOAR | Understand the risk_notable_investigate playbook |
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0
Feedback submitted, thanks!