Splunk® Enterprise Security Content Update

How to Use Splunk Security Content

Get started with the Risk Notable Playbook Pack for Splunk SOAR

This collection of playbooks and workbooks guides analysts through investigations of risk notables within Splunk SOAR. Risk notables are aggregates of risk anomalies within Splunk Enterprise Security. See Analyze risk in Splunk Enterprise Security in the Use Splunk Enterprise Security manual. As an analyst, learn how to use the workbooks, understand the playbooks, and explore customizing the playbooks.

The playbook pack must be used with the latest release of Splunk Security Content.

Check prerequisites for the playbook pack

Before you use the playbook pack, verify that you have these dependencies:

`notable` 
| search eventtype=risk_notables 
| fields _time, event_hash, event_id, host, info_min_time, info_max_time, risk_object, risk_object_type, risk_score, rule_description, rule_id, rule_name, search_name, source, splunk_server, urgency

  • Splunk Enterprise Security with assets and identities (optional). See Manage assets and identities in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual. The splunk_enterprise_security_tag_assets_and_identities playbook relies on this framework, and the risk_notable_auto_containment playbook uses resulting tags.

Deploy the playbook pack

Verify these deployment steps are done before you use the playbook pack:

  • Because the playbook pack follows a five-point scale of severity based on Splunk Enterprise Security, a Splunk SOAR admin must add the severity levels "Critical" and "Informational" to the default severities of "High," "Medium," and "Low." See Create custom severity names in the Administer Splunk SOAR (Cloud) manual.
  • Because the playbook pack uses the risk_notable label based on event types with the same names within Splunk Enterprise Security, a Splunk SOAR admin must add the risk_notable label. See Create a label in the Administer Splunk SOAR (Cloud) manual.
  • Configure the base URL for Splunk SOAR.
  • (Recommended step.) Copy all playbooks to a repository other than community, like local. See Configure a source control repository for your Splunk SOAR (Cloud) playbooks in the Administer Splunk SOAR (Cloud) manual. Update the matching sub-playbook calls to reference the correct repository, as well as the references in workbooks.
  • If your Splunk asset on SOAR is not called splunk, change the asset name in the playbook to match the name of your Splunk asset.
  • Splunk Web is configured on a port other than 443, like 8000, then includes the specified port directly after the hostname in these items:
    • The block "format es url" in the risk_notable_preprocess playbook
    • The block "format summary note" in the risk_notable_import_data playbook

Find playbooks in Splunk SOAR

To locate the playbooks from the playbook pack in Splunk SOAR (Cloud) or (On-premises), follow these steps:

  1. From the Splunk SOAR (Cloud) or (On-premises) menu, select Playbooks.
  2. Select Update from Source Control > community > Update.
  3. Filter the Category column to Risk Notable to see all core playbooks.
  4. Filter the Tags column to risk_notable to see all utility playbooks.
  5. (Recommended step.) Copy the playbooks to the local repository so you can customize them.

Workbooks in the pack

Workbooks are guided analyst workflows with phases and tasks that can recommend actions and playbooks. This pack includes three workbooks.

Workbook Description Phase Tasks Workbook playbooks Suggested playbooks
Risk Investigation Guide the analyst from taking ownership of an investigation through rendering a verdict and selecting a response plan. Initial Triage Preprocess
Investigate
Render Verdict
risk_notable_investigate risk_notable_preprocess

risk_notable_import_data
start_investigation
risk_notable_enrich
risk_notable_merge_events
risk_notable_verdict

Risk Response Follow tasks to review suspect indicators, then select assets and users that need protection. Mitigate Block Indicators
Protect Assets and Users
risk_notable_mitigate risk_notable_review_indicators

risk_notable_block_indicators
risk_notable_protect_assets_and_users

Risk Recovery Respond to confirmed incidences by documenting clean-up steps and closing out investigations. Restore operations Eradicate threats
Undo containments
Close investigations
N/A risk_notable_auto_undo_containment

reset_entity_risk
splunk_enterprise_security_close_investigation

Last modified on 25 September, 2023
Configure Splunk Enterprise Security to use the Machine Learning Toolkit   See descriptions of playbooks in the Risk Notable Playbook Pack

This documentation applies to the following versions of Splunk® Enterprise Security Content Update: 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0, 4.36.0, 4.37.0, 4.38.0, 4.39.0, 4.40.0, 4.41.0, 4.42.0, 4.43.0, 4.44.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters