Splunk® SOAR (On-premises)
Use Splunk SOAR (On-premises)
- Documentation
- Splunk® SOAR (On-premises)
- Use Splunk SOAR (On-premises)
- About Splunk SOAR (On-premises)
Introduction
- About
- Access Account Settings
Get started using Splunk SOAR (On-premises)
- Start with Investigation in
- Manage the status, severity, and resolution of events in
- Approve actions before they run in
- Add files to an event in
- Mark files and events as evidence in
- View recommended playbooks, actions, and mission experts for resolving an event
- Create, sort, and filter notes in
- Search within
- View the list of configured playbooks in
- Create Executive Summary reports and view all reports in
- Create custom lists for use in playbooks
Manage cases in Splunk SOAR (On-premises)
- Create and investigate containers
- Overview of cases
- Create cases in
- Add objects to a case in
- Define a workflow in a case using workbooks in
- Create case reports to download and share in
Use Splunk SOAR (On-premises) in a Connected Experiences App
- Use the Splunk Mobile app for
- Run playbooks in Splunk AR workspaces
Use Splunk SOAR (On-premises) with IT Service Intelligence
- Send IT Service Intelligence episodes to
Use the command line interface to perform tasks in Splunk SOAR (On-premises)
- command-line interface overview
- Run an action in
- Run a playbook in
- Add a note in
- Update or edit an event in
- Use a datapath in
- How to migrate Splunk Cloud to On-Premises?
- Splunk SOAR not forwarding data to splunk
- SPLUNk SOAR- Splunk Run query
- DNS error when logging in to Splunk SOAR instance ...
- Why cant I login to splunk soar?
- How to Hyperlink in Splunk SOAR/Phantom Notes?
- Splunk SOAR Shared Services
- Error adding External Splunk Enterprise Instance t...
- Is it possible to use Cyberark to rotate the Splun...
- Invalid token in Splunk app for SOAR, yet tokens a...
Read more...
The classic playbook editor will be deprecated soon. Convert your classic playbooks to modern mode.
After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
- Convert classic playbooks to modern playbooks
- Deprecated Features in the Splunk SOAR 6.2.1 release notes
is a Security Orchestration, Automation, and Response (SOAR) system. The platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.
Use this manual if you're a Security Operations Center (SOC) staff member, analyst, or manager who is not primarily a administrator.
The following diagram shows the end-to-end flow of security automation in .
In this example, there are three apps in a environment. Each app provides at least one action.
- The MaxMind app provides an action to find the geographical location of an IP address.
- The PhishTank app provides an action to find the reputation of a URL.
- The Palo Alto Networks (PAN) Firewall app provides several actions, such as blocking and unblocking access to IP addresses, applications, and URLs.
There is one MaxMind asset, one PhishTank asset, and two PAN Firewall assets. There are two PAN Firewall assets because they each have a different version number. Two playbooks run actions from the app assets.
- Playbook 1 runs actions from the MaxMind and PAN Firewall version 2.7 assets whenever a new container is created in .
- Playbook 2 runs actions from the PhishTank and PAN Firewall version 3.0 assets whenever a specific workbook is used in a case.
This table provides information on each component in the diagram and terminology:
| Component | Description | More information |
|---|---|---|
| App | A connection to third-party security technologies. The connection allows to access and run actions provided by the third-party technologies. Some apps also provide a visual component such as widgets that can be used to render data produced by the app. | See Add and configure apps and assets to provide actions in in the Administer manual. |
| Asset | A specific instance of an app. Each asset represents a physical or virtual device within your organization such as a server, endpoint, router, or firewall. For example, you might have a Palo Alto Network (PAN) Firewall app that connects the firewall to . You can configure an asset with the specific connection details for this firewall. If your environment has multiple firewalls, you can configure one asset for each firewall. | See Add and configure apps and assets to provide actions in in the Administer manual. |
| Container | A security event that is ingested into . Containers have the default label of Events. Labels are used to group related containers together. For example, containers from the same asset can all have the same label. You can then run a playbook against all containers with the same label. You can create custom labels in as needed. | See Configure labels to apply to containers in the Administer manual. |
| Case | A special kind of container that can hold other containers. For example, if you have several closely related containers for a security incident, you can promote one of those containers to a case and then add the other related containers to the case. Doing this lets you consolidate your investigation rather than having to investigate each container individually. | See Overview of cases. |
| Artifact | A piece of information added to a container, such as a file hash, IP address, or email header. | n/a |
| Indicator or Indicator of Compromise (IOC) | A piece of data such as an IP address, host name, or file hash that populates the Common Event Format (CEF) fields in an artifact. Indicators are the smallest unit of data that can be acted upon in . | n/a |
| Playbook | A series of automation tasks that act on new data entering . For example, you can configure a playbook to run actions against all new containers with a specific label. Or you can configure running a playbook as part of the workflow in a workbook. | See Use playbooks to automate analyst workflows in in the Build Playbooks with the Playbook Editor manual. |
| Workbook | A template providing a list of standard tasks that analysts can follow when evaluating containers or cases. | See Define a workflow in a case using workbooks in . |
| Action | A high level primitive used throughout the platform, such as get process dump, block ip, suspend vm, or terminate process. Actions are run in playbooks or manually from the web interface. Actions are made available to by apps. | See Add and configure apps and assets to provide actions in in the Administer manual. |
| Owner | The person responsible for managing assets in your organization. Owners receive approvals, which are requests to run a particular action on an asset. Approvals are sent to the asset owners and contain a service level agreement (SLA) dictating the expected response time. SLAs can be set on events, phases, and tasks. | See Configure approval settings for a asset in the Administer manual. See Configure the response times for service level agreements in the Administer manual for more information about configuring SLAs. |
Last modified on 03 April, 2024
| Access Account Settings |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.6, 5.4.0, 5.5.0, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2
Download manual
Download this page
You must be logged into splunk.com in order to post comments. Log in now.
Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.
We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here »
Closing this box indicates that you accept our Cookie Policy.
