Splunk® SOAR (Cloud)

Administer Splunk SOAR (Cloud)

The classic playbook editor will be deprecated in early 2025. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:

View related data using aggregation rules

Define aggregation rules to view related data in a single location. Artifacts matching a defined rule are copied to a new container.

To view aggregation rules, follow these steps:

  1. From the Home menu, select Administration.
  2. Select Product Settings > Aggregation.

The Aggregation page shows a list of all container labels defined on your system. The number inside the parentheses next to each label is the number of rules defined for that label.

Container labels can be created by an ingestion asset or manually from Home > Administration > Event Settings. For example, you can choose a source label from an ingestion asset like the "Events" label or an "Email" label, then create a destination label such as "Aggregated Events" that makes it clear that containers with that label are aggregated.

Add a new aggregation rule

As an example, you may want to aggregate all containers with matching sourceAddress CEF fields from your "email" label into your "events" label.

To create the example aggregation rule:

  1. From the Home menu, select Administration.
  2. Select Product Settings > Aggregation.
  3. From the Aggregation page, click + Aggregation Rule.
  4. Specify sourceAddress - Email to Events as the name of the rule.
  5. Select email from the drop-down list in the Source Label field.
  6. Select events from the drop-down list in the Destination Label field.
  7. Select Exact from the Match field to aggregate on the exact contents of the CEF field. You can click on the plus (+) icon to add additional match rules.
  8. Select sourceaddress in the CEF field. You can start typing the field name to search through the list of available field names.
  9. Click Save.

Edit an existing aggregation rule

After completing the previous example, perform the following steps to edit an existing aggregation rule in .

  1. Click on any existing rule. In this example, click email to view a summary of the aggregation rule.
  2. Click Edit to make changes to the rule.
  3. Click the trash can icon to remove the rule.

Click + Aggregation Rule to create a new rule. If you create a new rule from the email label rule page, the new rule will automatically populate the Source Label field with email.

Using multiple matches in an aggregation rule

An aggregation rule can have multiple match lines, such as a match on both sourceaddress and destinationaddress.

For this example, both the sourceaddress and destinationaddress must match for it to be aggregated into the same container.

If you treat sourceaddress as the attacker's IP address, and destinationaddress as the target's IP address, then this means you have artifacts being aggregated in the same destination container for only the exact same attacker and victim. So with a target IP address of 1.1.1.1, there is one destination container for attacker IP address 2.2.2.2 and target IP address 1.1.1.1, and a different container for attacker IP address 3.3.3.3 and target IP address 1.1.1.1.

CEF fields are matched even if there is no value. For example, if you have artifacts with a destinationaddress of 1.1.1.1 and no sourceaddress, they are still aggregated together into a destination container.

Last modified on 18 September, 2024
Enable clickable URLs in CEF data   Define tasks using workbooks

This documentation applies to the following versions of Splunk® SOAR (Cloud): current


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters