Selecting the correct apps to integrate the Splunk platform and SOAR

SOAR is also not a replacement for the Splunk platform. However, it interacts with the Splunk platform in a number of ways that will improve your organizational security. This set of articles explains how it does that through the use of several integrations.

Splunk SOAR is a security orchestration, automation, and response platform that combines security infrastructure orchestration, playbook automation, and case management capabilities. It integrates your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats. A typical case workflow in SOAR involves the following steps:

1. Preparation
2. Investigation
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

The best use of Splunk SOAR is to only send events to it that need work done. You should not use it as a replacement for a SIEM, like Splunk Enterprise Security or for general notifications and alerts that don't require action.

SOAR is also not a replacement for a well designed SOC or experienced SOC analysts. Although SOAR is excellent at automating processes that are well-defined, it is more like a SOC intern than an experienced analyst. It can free up analysts' time for tasks that require more critical thinking. Additionally, the better your SOC processes are, the more useful SOAR will be to your team.

To understand how SOAR interacts with the Splunk platform, first review these key SOAR concepts:

• Data sources. Inputs for SOAR.
• Playbooks. A set of apps, actions, decisions, and logic to run certain tasks and create orchestration.
• Actions. API calls to the services.
• Apps. These interact with third-party services to run all kinds of actions. This is where the automation comes in.
• Assets. A specific instance of the code in an app, otherwise thought of as a particular connection to a server. You will have one, along with a host name and credentials, for every Splunk instance you want to talk to.
• Owners. Rule-based access control on who can interact with what connections.

The Splunk platform can interact with any of the above functions. Read the descriptions below and then click into the expert guidance to learn how you can work with each one using Splunk apps.

• Data source. The Splunk platform can push events to SOAR for evaluation. For example, if you have Splunk Enterprise Security and have certain notables that keep coming up, you can send those. In addition, anything that gets returned in a Splunk platform search can be sent to SOAR.
  • App: Splunk App for SOAR Export
  • Expert guidance: The Splunk platform as a SOAR data source
  • Full technical documentation: About the Splunk App for SOAR Export
• App. SOAR can run Splunk platform queries, update events, and pull events from the Splunk platform for evaluation. The Splunk platform can also run queries to enrich information that's in SOAR.
  • App: Splunk Connector
  • Expert guidance: The Splunk platform as a SOAR appliance
  • Full technical documentation: SOAR Connectors on GitHub
• Monitoring and reporting tool. The Splunk platform can be used for monitoring and reporting on data in SOAR, which means it can provide information on any of the six roles described in the image above. Everything happens inside of SOAR gets stored in its Postgres database, where searching is done on the backend. After that, the Splunk platform can be used for monitoring and reporting on that data. This enables you to create custom reports for management or any SOAR users.
  • App: Splunk App for SOAR
  • Expert guidance: The Splunk platform as a SOAR monitoring and reporting tool
  • Full technical documentation: Learn about Splunk App for SOAR