Skip to main content
Splunk Lantern の記事が日本語で利用できるようになりました。.
Splunk Lantern

Automate containment and response actions


Containment strategies are defined based on the type of attack and the potential damage. Incident response teams work to isolate threats, identify attacking hosts, gather evidence, and may employ techniques such as sandboxes to understand the attack's behavior. They will also perform response actions such as removing malware and compromised accounts, restoring systems from clean backups, implementing security patches, and fortifying defenses.

Many teams who are responsible for managing containment and response actions experience constant alert fatigue, which can lead to burnout and loss of SOC staff. Poor alert triage processes lead to more missed actual threats and a rise in security breaches. Moreover, the lack of customization in automation playbooks and workflows can add more to a security analyst’s plate, instead of freeing up time for them.

What are the benefits of automating containment and response actions?

Automating containment and response actions provides a wide range of benefits, including:

  • Avoid alert fatigue by using workflow actions, or playbooks, that process repetitive and ordinary alerts.
  • Free up analyst time to handle the most sensitive and unique incidents.
  • Address threats in seconds - not minutes or hours, creating a lower mean time to respond (MTTR).
  • Use automation to absorb a shortage of analysts.
  • Guarantee quality levels through use of standardized playbooks.

What are containment and response automation best practices?

  • Pre-built Splunk SOAR (SOAR) content and playbooks: Leveraging pre-built SOAR content and playbooks streamlines the automation process, providing security teams with ready-to-use templates for common scenarios. This accelerates deployment and ensures standardized responses to known threats.
  • Alert enrichment: Alert enrichment enhances the context around security alerts by integrating additional information from various sources. This practice empowers analysts with comprehensive insights, enabling more informed and accurate decision-making during the incident response process.
  • Visual playbook editor: The Visual Playbook Editor offers an intuitive, graphical interface for designing and customizing automation workflows. This visual representation simplifies the creation and modification of playbooks, making it accessible to both seasoned security professionals and those newer to the field.
  • Automated alert triage: Automated alert triage involves the use of predefined rules and criteria to classify and prioritize incoming alerts. By swiftly categorizing alerts based on their severity and relevance, security teams can focus their attention on addressing the most critical threats promptly, reducing response times.
  • Automated incident response: Automated incident response allows for the execution of predefined actions in response to specific security incidents. By automating routine tasks and response actions, security teams can mitigate the impact of incidents swiftly and consistently, minimizing the risk of human error and accelerating the overall incident resolution process.

What containment and response automation processes can I put in place?