How Playbook Packs Drive Scalable Automation

By Kelby Shelton May 17, 2022

No matter how advanced your Security Operations Center (SOC) is, pre-built Playbook Packs from Splunk can augment your analysts with automation that scales with your organization's maturity. SplunkⓇ Enterprise Security (ES) users can achieve this scalable automation by using a pre-built Risk Notable Playbook Pack in Splunk SOAR.

The starting point begins with Risk-Based Alerting (RBA) from Splunk ES which produces rich, contextual alerts that significantly reduce analyst workload. An RBA-fed Notable Event, called a "Risk Notable," can have hundreds of correlated events. That said, how does an analyst gather that data into a case, investigate each indicator, find related notables, locate all affected entities, and then finally take action? That's what we'll dive into in this post. We'll look into the Risk Notable Playbook Pack for SplunkⓇ SOAR to demonstrate how it integrates case management, automation, and investigation into a seamless workflow that can benefit any Splunk ES and Splunk SOAR customer.

Risk-Based Case Management

Even though a Risk Notable has all of the information regarding an entity being leveraged in an attack on your environment, it can often be difficult for less experienced analysts to know what to do next. Splunk SOAR has an out-of-the-box workflow that guides the analyst from initial triage through mitigation.

Intelligent case management means that SOAR automatically builds an initial report on the possible compromise, all aligned to the MITRE ATT&CK framework. It will mark important artifacts such as high_risk_score events as evidence as you can see in this screenshot.

It then extracts hundreds of indicators from the Notable, enriches them through SplunkⓇ Intelligence Management, and marks key details as evidence. Splunk Intelligence Management shows which indicators from the event have scores and what the various sources say about those indicators as you can see in this screenshot.

Users will see this information waiting for review and Splunk SOAR can even surface related events and merge them into a single case. The merging process can be customized to consider one field, several fields, or a wild card. The mapping between values in an investigation and related events is very powerful and can uncover relationships between events that a team of analysts could easily overlook. Speaking of not overlooking things, let's see how SOAR can ensure your SOC never misses a task again.

Guided Workflows

In addition to helping the analyst by gathering key details, the information is presented through a guided case management template called a Workbook. Workbooks are highly customizable and can be adjusted for ad-hoc investigations as well as cloned or built from scratch to suit your organization's Incident Response plans. In the screenshot below, the Risk Investigation workbook includes the best-practice, recommended steps to handle a Risk Notable from security experts at Splunk. These steps are called "tasks" and are organized into "phases." Splunk SOAR ships with several templates to choose from. Shown here is the Risk Investigation template and contains one phase called "Initial Triage."

The Initial Triage phase walks the analyst through reviewing the alert details, taking ownership of the investigation, reviewing initial enrichment, merging the investigation with other Notables, and then rendering a verdict. The final interaction point in this phase is called "render_verdict" and the output is shown below.

The "render_verdict" prompts the analyst to select a response plan. Response plans are automatically picked up based on what's available to the system. In the screenshot above, risk_notable_mitigate is selected which will guide the analyst through the mitigation phase of the investigation. Once the analyst clicks "Complete," Splunk SOAR will add the next workbook called "Risk Response." Let's look at how automation works together with the analyst to contain and mitigate affected entities.

Scalable Automation

During the Risk Response workbook, SOAR uses the information gathered from Splunk Intelligence Management, and your enrichment playbooks to surface the items you should take action on immediately. This saves precious time for each investigation that would otherwise be spent sifting through potentially hundreds of indicators.

When it comes to taking action on these indicators, Splunk SOAR will ensure that only the right playbooks are paired with the data from your investigation, all based on the connectors you have available. As you import new automation playbooks or develop your own using the Visual Playbook Editor (VPE), they can be registered with the Risk Notable Playbook Pack to be automatically used in all future investigations. This modular and scalable approach ensures that those same playbooks can be reused in situations like Phishing and Malware response. For those automation engineers that want complete control, the VPE supports multiple ways to interact with the data from your event and can be as granular and flexible as you require. Shown here is a sample playbook that leverages VMware Carbon Black to block one of the indicators from the previous screenshot.

Blocking indicators of compromise is obviously important and during an incident you will also ensure that automation is correctly containing your assets and identities. For that matter, how do you know that when you're about to disable an account and reset the password, and that it's not a critical service account? That's where Smart Containment comes in.

Smart Containment

Splunk SOAR will scan all of the artifacts for hosts, users, email accounts, and IP addresses and then pair that with the Asset and Identity information gathered by Splunk ES. The Incident Responder is then equipped with the context they need to make an informed decision on which entities are safe to quarantine immediately.

If no integrations exist for containment, Splunk SOAR will let the user know that an integration does not exist. It will also report on which users and which assets were routed to which tools and store all of that information in the existing investigation. Did we mention that all of that data can be synced in real-time up to Splunk? Imagine the reporting possibilities of every indicator, every action, and every note in one location.

Getting Started

If you are an existing Splunk SOAR user and also use Splunk ES, please consider leveraging the Risk Notable Playbook Pack in your automation and case management strategy. Implementation details can be found in Splunk Docs here. If you are new to Splunk SOAR or still exploring SOAR for your environment, learn what else you can do at https://splunk.com/soar. On this page you can also find a link to signing up for our free Community version. If you would like see the Risk Notable Playbook Pack in action, check out our presentation at .conf21 "SEC1590C - Augmented Case Management With Risk Based Analytics and Splunk SOAR." You can also see our session catalog of Splunk SOAR and Splunk ES topics being presented at .conf22.

We've discussed a lot here about Case Management augmented by the power of automation, but this is only the beginning. In some high-risk situations, you need an automation platform that is capable of taking action immediately on affected entities before the situation gets out of control. A great example of taking this type of action is in the area of Zero Trust which you can learn more about here: Automating Across a Zero Trust Architecture (ZTA). I look forward to posting more about our lineup of Playbook Packs in the future.

This article was co-authored by Dane Disimino, Sr. Product Marketing Manager for SOAR with Splunk.