Use the tagging system with the playbook pack for Splunk SOAR
Tags allow you to call playbooks any time the tag is present.
Use input playbook tags compatible with the playbook pack
Playbooks in specified repositories are automatically called if the associated tag is present. The default repository is local
.
All input playbooks must include "risk_notable" in addition to the tag itself.
Playbook use | Tags (required) | Outputs (optional) |
---|---|---|
Investigation or enrichment | investigate
|
note_title , note_content
|
Blocking indicators | block
|
N/A |
Containment of assets | asset , containment
|
N/A |
Containment of identities | identity , containment
|
N/A |
Undo containment of assets | asset , undo_containment
|
N/A |
Undo containment of identities | identity , undo_containment
|
N/A |
Understand the indicator tagging system
The risk_notable_review_indicators
and risk_notable_block_indicators
playbooks use the indicator_get_by_tag
utility to fetch indicators with specific tags. To include an indicator with the playbook pack, the playbook used to investigate the indicator type must tag that indicator using the indicator_tag
utility.
This table lists the available indicator tags and how you can use them:
Indicator tag | How the playbook pack uses the indicator tag | How you should use the tag in custom input playbooks |
---|---|---|
suspicious malicious |
The risk_notable_review_indicators playbook alerts the user to any indicators that contain this tag.
|
When building an investigation playbook, use this tag with an indicator. See the Example child playbook deployment topic for an example of how to deploy a child playbook. |
safe
|
The risk_notable_review_indicators and risk_notable_block_indicators playbooks ignore indicators with this tag.
|
When building investigation playbooks, use this tag to mark safe indicators. |
marked_for_block
|
* The risk_notable_review_indicators playbook alerts the user to any indicators that contain this tag.
|
N/A |
blocked
|
* The risk_notable_review_indicators playbook ignores indicators with this tag.
|
When building a blocking playbook, use this tag to mark indicators when successful blocks occur. |
known_asset known_identity |
* The risk_notable_auto_containment playbook routes indicators with this tag to containment input playbooks.
|
N/A |
contained
|
* The risk_notable_auto_containment playbook ignores this tag.
|
When building a containment playbook, use this tag to mark indicators when successful containments occur. |
Build playbooks compatible with the dispatch_input_playbooks utility |
This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0
Feedback submitted, thanks!