Certain security incidents, such as threat intelligence notifications and malware alerts, are common in your organization. When they occur, your team knows the steps to take and they know the expected outcomes. However, your organization, like every other, is prone to staff turnover. While some of your security procedures are documented, they are not done so consistently, and interpretation can be prone to cognitive bias.
You want to automate many of these responses so they can be implemented consistently, quickly, and more effectively. Since you have no experience creating this kind of automation, you need a methodology to guide you in deciding what playbooks your organization should create.
Splunk SOAR playbooks provide the automation you need. Playbooks perform the following common, independent functions: ingest, investigate, contain, notify, document. They perform actions based on logic applied to information in an event's container. They can be executed manually from an event's investigation window or automatically when an event is created or when artifacts are added to it.
You can find shared community playbooks on the Splunk Security Research GitHub, but you will likely have more use cases for playbooks than are available here. In this case, you'll need to create your own and store them on your local Splunk SOAR server.
To determine the right playbooks to create for your organization, follow this methodology:
- Identify the scenario for which you need automation.
- What scenarios does your team spend most of its time addressing?
- How many times do each of these scenarios occur on an average day?
- What are the critical resources used when addressing those scenarios?
- Document and diagram.
- Draw the steps and decision points for addressing each scenario.
- Indicate how much time your analysts spend on each step.
- Use the diagram to answer the following four considerations:
- Inputs: What information does the playbook need?
- Interactions: What systems does the playbook work with?
- Actions: What does the playbook do with the information?
- Artifacts: What changes does the playbook make?
You should aim to a create simple, re-usable playbooks. By limiting the scope of a playbook, you can apply a building-block approach to addressing security incidents, reusing playbooks for multiple scenarios.
If you found this article useful and want to practice creating your own playbooks, Splunk Education offers a 9-hour, instructor-led course on developing Splunk SOAR playbooks. The hands-on labs in the course will teach you how to:
- use the visual playbook editor
- create user interaction and logic
- access and format data
- develop playbooks in a modular fashion
- create custom lists and filters
Click here for the course catalog where you can read the details about this and other Splunk SOAR courses, as well as register.