Skip to main content
Splunk Lantern is a nominee for Knowledge Innovation and Knowledge Management in the CXOne Customer Recognition Awards. Click here to vote for us!
Lantern Home

 

Splunk Lantern

Building a SOAR playbook to run SPL eval functions

  1. Last updated
  2. Save as PDF

While the flexibility to run custom Python code within the Splunk SOAR platform is extremely powerful and can be used to achieve almost anything, not every SOC or security team has the skills on-hand to create custom functions in Splunk SOAR. This can feel especially painful after investing significant time in learning Search Processing Language (SPL), only to be forced to pivot to pure Python for basic functions like string manipulation. 

While SOAR can’t natively leverage SPL and has limited built-in functionality for handling the manipulation of data within the platform, with a little creativity you can easily 'trick' your SOAR instance into running eval commands through SPL run on an integrated Splunk instance. 

This article assumes that you already know how to write SOAR playbooks. If not, see Create playbooks in Splunk SOAR, and then come back to this article.

How to use Splunk software for this use case

Several components are required to run eval functions within SOAR. At a high level they encompass the formatting of an SPL search, running the search through a search action, and processing of the results returned.

Formatting the query

The first step is to write a search that will be used to manipulate the data after it is run on the Splunk instance. This involves using an eval statement to create a new event through the _raw field and populating it with the data you wish to manipulate as a variable enclosed in braces and the variable number. 

In the example below, we take the output of a Splunk search and pass it into the eval statement with{0}and follow this with a| rexand a subsequent eval using anmvjointo reformat the returned array.

Format5.png

Running the search

From here we pass the formatted SPL into an action block, and override the command input with a leading| makeresults, which gives us a complete search to be run on the Splunk instance.

The full command that will be run remotely is now as follows:

| makeresults
| eval _raw = "{0}"
| rex field=_raw max_match=0 "'(?<host>[^']+)'"
| eval hosts = mvjoin(host,",")
| fields hosts

Action3.png

If you were to recreate this search within the Splunk Enterprise Security instance, the following screenshot shows how the search would be interpreted after the variables are populated.
The| makeresultscommand creates a synthetic event that uses the input from the SOAR variable, extracts each unique host from the input with | rex, and creates a comma separated list through an eval statement.

These results are passed back to SOAR as an array of values, and our playbook outputs this into a note which shows a comparison of the original value and the modified string.

Equivalent SPL.png

Using the results

The results in SOAR can then be leveraged to continue the automated workflow through a format block, leveraging theIN clause. In this example, the output above was a list of unique hosts, and now those cleaned up hostnames are fed back into this playbook to see if they've ever been associated with malware. 

This approach uses a| TSTATSsearch that takes in the comma separated list, and returns a binary result field to denote if the hosts have been observed or not in the malware data model. This binary result can then easily be passed to a downstream decision block to dynamically switch branches based on the results.

SOAR SPL Results.png

Additional resources

This article is one of many in a series on using SOAR automation to improve your SOC processes. Check out the additional playbook guidance or some of the links below to continue getting more value out of Splunk SOAR. 

  • Written by Richard Hampshire, Security Architect at Splunk and Matthew Bennett, Managing Director at Hyperion3