Skip to main content
Lantern Home

 

Splunk Lantern

Using SOAR automation to improve your SOC processes

  1. Last updated
  2. Save as PDF

Security automation can be challenging in large, complex enterprises. You might face organizational roadblocks, policy constraints, or resistance from other system owners when trying to implement automation.

However, many automation steps simply involve investigating previously collected data - which is ideal for searching in Splunk Enterprise. You can automate SPL searches from Splunk SOAR without the red tape of broader enterprise system integrations, since both systems typically sit within the same organizational area.

This guide shares best practices from our largest successful customers, provides automation ideas you might not have considered, and shows you ways to improve your existing automations.

How to best approach Splunk SOAR automation

Click into the following articles to learn how to approach enterprise-level security automation tasks:

How to best develop Splunk SOAR playbooks

This section assumes that you already know how to write SOAR playbooks at a foundational level. If not, see Create playbooks in Splunk SOAR, and then come back to these articles.

Click into any of the following articles to learn how to create new, useful playbooks or improve the ones you already have:

Additional resources

.conf presentations

Now that you have an idea of how you can use SOAR to help with automation, watch the full .conf talks:

  • Practical SOAR examples from the field (.conf24) [ recording | slides ]
  • Practical SOAR examples from the field: Part 2 (.conf25) [ recording | slides ]

In these talks, you'll get more detail on these best practices and advice on bringing in more SOAR automation to your organization.

GitHub repository

The below GitHub repository contains real playbooks from the field.

Splunk Lantern Articles

  • Written by Richard Hampshire, Security Architect at Splunk and Matthew Bennett, Managing Director at Hyperion3