Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

Use the tagging system with the playbook pack for Splunk SOAR

Tags allow you to call playbooks any time the tag is present.

Use input playbook tags compatible with the playbook pack

Playbooks in specified repositories are automatically called if the associated tag is present. The default repository is local.

All input playbooks must include "risk_notable" in addition to the tag itself.

Playbook use Tags (required) Outputs (optional)
Investigation or enrichment investigate note_title, note_content
Blocking indicators block N/A
Containment of assets asset, containment N/A
Containment of identities identity, containment N/A
Undo containment of assets asset, undo_containment N/A
Undo containment of identities identity, undo_containment N/A

Understand the indicator tagging system

The risk_notable_review_indicators and risk_notable_block_indicators playbooks use the indicator_get_by_tag utility to fetch indicators with specific tags. To include an indicator with the playbook pack, the playbook used to investigate the indicator type must tag that indicator using the indicator_tag utility.

This table lists the available indicator tags and how you can use them:

Indicator tag How the playbook pack uses the indicator tag How you should use the tag in custom input playbooks
suspicious
malicious
The risk_notable_review_indicators playbook alerts the user to any indicators that contain this tag. When building an investigation playbook, use this tag with an indicator. See the Example child playbook deployment topic for an example of how to deploy a child playbook.
safe The risk_notable_review_indicators and risk_notable_block_indicators playbooks ignore indicators with this tag. When building investigation playbooks, use this tag to mark safe indicators.
marked_for_block * The risk_notable_review_indicators playbook alerts the user to any indicators that contain this tag.
  • The risk_notable_block_indicators playbook blocks any indicators with this tag.
N/A
blocked * The risk_notable_review_indicators playbook ignores indicators with this tag.
  • The risk_notable_block_indicators playbook reports any indicator with this tag, marking each indicator as "successfully blocked."
When building a blocking playbook, use this tag to mark indicators when successful blocks occur.
known_asset
known_identity
* The risk_notable_auto_containment playbook routes indicators with this tag to containment input playbooks.
  • The splunk_enterprise_security_tag_assets_and_identities playbook automatically applies this tag.
N/A
contained * The risk_notable_auto_containment playbook ignores this tag.
  • The risk_notable_undo_containment playbook routes indicators with this tag to undo containment input playbooks.
When building a containment playbook, use this tag to mark indicators when successful containments occur.
Last modified on 15 June, 2022
Build playbooks compatible with the dispatch_input_playbooks utility  

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters