Uploaded bywillmorekanan
PDF, PPTX30 views

phantom playbook practice for Automation

phantom playbook practice for Automation

Embed presentation

Download as PDF, PPTX
This presentation may contain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described, in beta or in preview (used interchangeably), or to include any such feature or functionality in a future release. Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2023 Splunk Inc. All rights reserved. Forward- Looking Statements 03.16.23-15:28
© 2023 SPLUNK INC. 12 Angry Analysts Tuning Splunk® SOAR Events To Keep Your Analysts Happy (Or at Least Content) SEC1406C Gregory Rivas Chief SOAR Dude | Accenture
© 2023 SPLUNK INC. Gregory Rivas Chief SOAR Dude | Accenture
© 2023 SPLUNK INC. Otto Noted Lazy Theropod | AutoSOARus rex
© 2023 SPLUNK INC. Overview 1. An Overview of Phases 2. The Problem 3. An Answer 4. A Scalable Answer 5. A Mature Answer 6. Demo What we’ll cover They told you not to do an overview slide
© 2023 SPLUNK INC. Think About Playbooks in PHASES Ingest Initial container standardization Enhancement Reach out to other services to give your container some context Triage Make a decision Response Take action Groups of playbooks should be categorized according to the functions they play in one phase or another tldr: Keep your playbooks in one phase or another and stay modular Report Tell people Splunk SOAR found or did a thing Closure Archive it for later maybe
© 2023 SPLUNK INC. Ingest Initial container standardization Enhancement Reach out to other services to give your container some context Triage Make a decision Response Take action Report Tell people Splunk® SOAR found or did a thing Closure Archive it for later maybe Your Sales Demo Probably Focused Here
© 2023 SPLUNK INC. Ingest Initial container standardization Enhancement Reach out to other services to give your container some context Triage Make a decision Response Take action Report Tell people Splunk® SOAR found or did a thing Closure Archive it for later maybe Check out Conf22 for SEC1266B for information about the others (link at the end) Our Talk Today Will Focus Here
© 2023 SPLUNK INC. Triage 1. Focus Playbooks on deciding I can’t read what’s on the phone
© 2023 SPLUNK INC. Why is this even on a phone? Triage 1. Focus Playbooks on deciding 2. Put your Humans Here a. Human time is expensive, and slow. Keep prompts, and decisions in ‘Triage’, and to a lesser extent in ‘Response’
© 2023 SPLUNK INC. Triage 1. Focus Playbooks on deciding 2. Put your Humans Here a. Human time is expensive, and slow. Keep prompts, and decisions in ‘Triage’, and to a lesser extent in ‘Response’ 3. Automation should still play a role in this phase a. Use Splunk® SOAR to do obvious steps b. Use Humans to help with less obvious outcomes
© 2023 SPLUNK INC. Triage 1. Focus Playbooks on deciding 2. Put your Humans Here a. Human time is expensive, and slow. Keep prompts, and decisions in ‘Triage’, and to a lesser extent in ‘Response’ 3. Automation should still play a role in this phase a. Use Splunk® SOAR to do obvious steps b. Use Humans to help with less obvious outcomes 4. Consider relevant artifacts created during your enrichment phase
© 2023 SPLUNK INC. The Problem
© 2023 SPLUNK INC. The Problem The analysts keep getting alerts and they hate it. They somehow think it's our responsibility to close some of them
© 2023 SPLUNK INC. © 2023 SPLUNK INC. Done When: • Detection == ‘Interesting External Successful Authentication’ • User == greg.rivas • IP == Within South Korea Why does the dog get a hat but not me? The Problem
© 2023 SPLUNK INC. SOAR Problems The SOC keeps bothering us, and we don't like it. They are always over caffeinated and generally smell bad
© 2023 SPLUNK INC. Done When: • SOC leaves us alone • SOAR team doesn’t have to do work SOAR Problems
© 2023 SPLUNK INC. Solution 1 Let's do something obvious!
© 2023 SPLUNK INC. • Use a Decision! • It’s quick! • It’s easy! Oh no phone anymore? Solution 1
© 2023 SPLUNK INC. IF: Event Detection == ‘Interesting External Successful Authentication’ AND Event User == greg.rivas AND Event Country IP == Republic of Korea Solution 1
© 2023 SPLUNK INC. hah this was too easy! Solution 1
© 2023 SPLUNK INC.
© 2023 SPLUNK INC.
© 2023 SPLUNK INC.
© 2023 SPLUNK INC.
© 2023 SPLUNK INC. Solution 1 Lets TRY!
© 2023 SPLUNK INC. This isn't working Solution 1
© 2023 SPLUNK INC. The Problem with Solution 1 It's just not scaling well
© 2023 SPLUNK INC. Like REALLY not scaling well
© 2023 SPLUNK INC. • Solution 1 SOLVES the Analyst’s Problem. • Solution 1 does NOT solve ANY of our SOAR problems: 1) SOC leaves us alone 2) We don’t want to do work 1) Detection== ‘Interesting External Successful Authentication’ 2) User == ‘Greg.Rivas’ 3) IP == ‘Within South Korea’ Can we make this solution lazier?? The Problem with Solution 1
© 2023 SPLUNK INC. • Lookups! • We’ll make a table of Country and User pairs • We can now call up this table and return a boolean if a value matches! • SOC can also now ADD ROWS to this lookup by themselves when they get more requests Solution 2
© 2023 SPLUNK INC. • Solution 2 empowers the SOC to make entries outside of the SOAR dev cycle • It also allows SOC to very rapidly scale up or down the number of exceptions • Our playbook is now easier to read, and no longer changes exception to exception • Exceptions can now trivially scale many times over Solution 2
© 2023 SPLUNK INC. Insert a custom function behind our fateful decision (This Custom Function will be available for download at the end)
© 2023 SPLUNK INC. Let’s Configure it • Custom List Name • Value to Search • Column Header to search in (This Custom Function will be available for download at the end) Those arrows aren't even
© 2023 SPLUNK INC. Solution 2
© 2023 SPLUNK INC. Now we can revisit our SINGLE decision
© 2023 SPLUNK INC. Let’s Configure it! • Expected src_country == Event src_country • Expected user == Event user If no match, we treat as normal container If it DOES match…
© 2023 SPLUNK INC.
© 2023 SPLUNK INC. We did it!! …. Right??
© 2023 SPLUNK INC.
© 2023 SPLUNK INC.
© 2023 SPLUNK INC.
© 2023 SPLUNK INC.
© 2023 SPLUNK INC.
© 2023 SPLUNK INC. We are not doing 200 playbooks.
© 2023 SPLUNK INC. The Problem with Solution 2 • SOC now wants us to make even more playbooks in direct violation of SOAR rule 2: ‘We don’t want to do work’ • SOC did NOT mention getting in trouble for mixing up ‘IP Addresses’ and ‘Users’, playing the blame game for who edited the exception lookup we wrote them. • While this is objectively funny to you, you still feel bad because you gave them enough Cat5 cable to DOS themselves Solution 2 was a victim of its own success. Originally solving both SOAR problems, The solution worked so well the SOC wants it for other detections now.
© 2023 SPLUNK INC. • Solution 2 SOLVES the Analyst’s Problem. • Solution 2 does solve ONE of our SOAR problems: 1) SOC leaves us alone 2) We don’t want to do work 1) Detection== ‘Interesting External Successful Authentication’ 2) User == ‘Greg.Rivas’ 3) IP == ‘Within South Korea’ Can we make this solution lazier?? The Problem with Solution 2
© 2023 SPLUNK INC. Solution 3 Let's Revisit Solution 2 and see if we can make some improvements
© 2023 SPLUNK INC. • Lookups! Solution 3
© 2023 SPLUNK INC. • Lookups! Solution 3
© 2023 SPLUNK INC. • Lookups! • We’ll make a table of IP and User pairs Solution 3
© 2023 SPLUNK INC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names Solution 3
© 2023 SPLUNK INC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! Solution 3
© 2023 SPLUNK INC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns Solution 3
© 2023 SPLUNK INC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns • SOC can also now ADD ROWS to this lookup by themselves when they get another request Solution 3
© 2023 SPLUNK INC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns • SOC can also now ADD ROWS to this lookup by themselves when they get another request • New meta fields allow for a JIRA ticket number to be included, line match statistics, and some resolution language Solution 3
© 2023 SPLUNK INC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns • SOC can also now ADD ROWS to this lookup by themselves when they get another request • New meta fields allow for a JIRA ticket number to be included, line match statistics, and some resolution language • List now includes timestamp of first and last rule match Solution 3
© 2023 SPLUNK INC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns • SOC can also now ADD ROWS to this lookup by themselves when they get another request • New meta fields allow for a JIRA ticket number to be included, line match statistics, and some resolution language • List now includes timestamp of first and last rule match • Playbook echoes a copy of the matching rule and line in closure notes and as a note in the container in case rule changes Solution 3
© 2023 SPLUNK INC.
© 2023 SPLUNK INC.
© 2023 SPLUNK INC. This is literally the only thing the analysts care about… So uncultured!
© 2023 SPLUNK INC. Solution 3
© 2023 SPLUNK INC. • Solution 3 SOLVES the Analyst’s Problem. • Solution 3 SOLVES the SOAR problems: 1) SOC leaves us alone 2) We dont want to do work 1) Detection== ‘Interesting External Successful Authentication’ 2) User == ‘Greg.Rivas’ 3) IP == ‘Within South Korea’ Solution 3
© 2023 SPLUNK INC. SOC now: • Has only one lookup table to worry about Solution 3
© 2023 SPLUNK INC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules Solution 3
© 2023 SPLUNK INC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist Solution 3
© 2023 SPLUNK INC. My favorite one! SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist • Can write their own rules without bothering us SOAR folk Solution 3
© 2023 SPLUNK INC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist • Can write their own rules without bothering us SOAR folk • Are now required to have a JIRA ticket history for the rule they write, which is used in the closure notes Solution 3
© 2023 SPLUNK INC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist • Can write their own rules without bothering us SOAR folk • Are now required to have a JIRA ticket history for the rule they write, which is used in the closure notes • Can auto close tickets using text contained in the lookup, not a generic closure note Solution 3
© 2023 SPLUNK INC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist • Can write their own rules without bothering us SOAR folk • Are now required to have a JIRA ticket history for the rule they write, which is used in the closure notes • Can auto close tickets using text contained in the lookup, not a generic closure note • Gets a note auto-created when a rule matches, containing the matching line from the lookup Solution 3
© 2023 SPLUNK INC. But SOAR gets some wins from this too! Solution 3
© 2023 SPLUNK INC. SOAR Now: • Does not have to worry about modifying playbooks for every exception from SOC Solution 3
© 2023 SPLUNK INC. SOAR Now: • Does not have to worry about modifying playbooks for every exception from SOC • Has an audit trail in JIRA of such modifications or additions to the table Solution 3
© 2023 SPLUNK INC. SOAR Now: • Does not have to worry about modifying playbooks for every exception from SOC • Has an audit trail in JIRA of such modifications or additions to the table • Knows exactly what rule matched and closed the alert at the time of auto-closure Solution 3
© 2023 SPLUNK INC. SOAR Now: • Does not have to worry about modifying playbooks for every exception from SOC • Has an audit trail in JIRA of such modifications or additions to the table • Knows exactly what rule matched and closed the alert at the time of auto-closure Can you summarize this better? Solution 3
© 2023 SPLUNK INC. Thank You Using Splunk® SOAR, we were able to empower SOC to move at speed, outside the confines that limit standard DevOps
© 2023 SPLUNK INC. WAY too Salesy
© 2023 SPLUNK INC. Thank You We don’t have to listen to the SOC complain at SOAR about false positives anymore!
© 2023 SPLUNK INC. Demo Video
© 2023 SPLUNK INC. Git Link is listed below Greg Rivas https://beacons.ai/not_greg
© 2023 SPLUNK INC. Thank You

More Related Content

PDF
Splunk4Rookies - Attendee - May 2023.pdf
bydjdhhdddhhd
 
PDF
Splunk ES 8 mission controle data analytic
bywillmorekanan
 
PDF
Ug soar 22sep21
byEric Gardner
 
PPTX
Splunk .conf18 Updates, Config Add-on, SplDevOps
byHarry McLaren
 
PPTX
Security Automation & Orchestration
bySplunk
 
PPTX
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
bySplunk
 
PDF
SplunkLive! Stockholm 2015 - Statnett
bySplunk
 
PPTX
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
byNiketNilay
 
Splunk4Rookies - Attendee - May 2023.pdf
bydjdhhdddhhd
 
Splunk ES 8 mission controle data analytic
bywillmorekanan
 
Ug soar 22sep21
byEric Gardner
 
Splunk .conf18 Updates, Config Add-on, SplDevOps
byHarry McLaren
 
Security Automation & Orchestration
bySplunk
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
bySplunk
 
SplunkLive! Stockholm 2015 - Statnett
bySplunk
 
Splunk enterprise security_splunk_bengaluru_user_group_2020_10_03
byNiketNilay
 

Similar to phantom playbook practice for Automation

PDF
Splunk-Presentation
byPrasadThorat23
 
PDF
SFBA Splunk Usergroup meeting Nov 20, 2024
byBecky Burwell
 
PDF
PSUG 7 - 2025-06-03 - David Bianco on Splunk SURGe
byTomas Moser
 
PDF
Power the SOC of the Future with scale, speed and choice - Splunk Public Sect...
bySplunk EMEA
 
PPTX
November 2021 Splunk PNW User Group
byAmanda Richardson
 
PDF
Splunk Solution overview testing versi 1
byyulitasarahhh
 
PDF
A Risk Based Approach to Security Detection and Investigation by Kelby Shelton
byJohn Billings CISSP
 
PDF
Splunk conf2014 - Splunk for Data Science
bySplunk
 
PDF
2007_Intro to SOAR......................
byAntonioIsipJr1
 
PPTX
Splunk Phantom SOAR Roundtable
bySplunk
 
PPTX
SplunkLive! Splunk for Insider Threats and Fraud Detection
bySplunk
 
PPTX
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
bySplunk
 
PDF
March 2023 PNW User Group
byAmanda Richardson
 
PDF
2022 09 March Splunk PNW User Group
byAmanda Richardson
 
PPTX
Delivering New Visibility and Analytics for IT Operations
bySplunk
 
PPTX
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
bySplunk
 
PPTX
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
bySplunk
 
PDF
LaGatta and de Garrigues - Splunk for Data Science - .conf2014
byTom LaGatta
 
PDF
Splunk for DataScience (.conf2014)
bystelligence
 
PPTX
Make Your SOC Work Smarter, Not Harder
bySplunk
 
Splunk-Presentation
byPrasadThorat23
 
SFBA Splunk Usergroup meeting Nov 20, 2024
byBecky Burwell
 
PSUG 7 - 2025-06-03 - David Bianco on Splunk SURGe
byTomas Moser
 
Power the SOC of the Future with scale, speed and choice - Splunk Public Sect...
bySplunk EMEA
 
November 2021 Splunk PNW User Group
byAmanda Richardson
 
Splunk Solution overview testing versi 1
byyulitasarahhh
 
A Risk Based Approach to Security Detection and Investigation by Kelby Shelton
byJohn Billings CISSP
 
Splunk conf2014 - Splunk for Data Science
bySplunk
 
2007_Intro to SOAR......................
byAntonioIsipJr1
 
Splunk Phantom SOAR Roundtable
bySplunk
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
bySplunk
 
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
bySplunk
 
March 2023 PNW User Group
byAmanda Richardson
 
2022 09 March Splunk PNW User Group
byAmanda Richardson
 
Delivering New Visibility and Analytics for IT Operations
bySplunk
 
SplunkLive! Zurich 2018: Use Splunk for Incident Response, Orchestration and ...
bySplunk
 
Partner Exec Summit 2018 - Frankfurt: Analytics-driven Security und SOAR
bySplunk
 
LaGatta and de Garrigues - Splunk for Data Science - .conf2014
byTom LaGatta
 
Splunk for DataScience (.conf2014)
bystelligence
 
Make Your SOC Work Smarter, Not Harder
bySplunk
 

More from willmorekanan

PDF
Splunk configuration file for the cloud automation
bywillmorekanan
 
PDF
Splunk Cloud Platform's Cross-Region Disaster Recovery.pdf
bywillmorekanan
 
PDF
Accelerate Observability of the Database Foundations Underpinning.pdf
bywillmorekanan
 
PDF
Splunk itsi infrastructure components implementation and integration
bywillmorekanan
 
PDF
Splunk configuration file for the cloud
bywillmorekanan
 
PPTX
Splunk_ITSI_Interview_Prep_Deck.pptx interview
bywillmorekanan
 
Splunk configuration file for the cloud automation
bywillmorekanan
 
Splunk Cloud Platform's Cross-Region Disaster Recovery.pdf
bywillmorekanan
 
Accelerate Observability of the Database Foundations Underpinning.pdf
bywillmorekanan
 
Splunk itsi infrastructure components implementation and integration
bywillmorekanan
 
Splunk configuration file for the cloud
bywillmorekanan
 
Splunk_ITSI_Interview_Prep_Deck.pptx interview
bywillmorekanan
 

Recently uploaded

PPTX
Scrum Master V5.2 - Trainer PPT new doc.pptx
byjaladi1231
 
PDF
Yellow and Black Futuristic Cloud Computing Presentation.pdf
byrenuanas786
 
PDF
Yellow and Black Futuristic Cloud Computing Presentation.pdf
byrenuanas786
 
PPTX
Generative_AI_Overview - A tale of modern AI
byUnansweredQuestions
 
PPTX
LinkedIn Lead Generation expert for B2B Lead Generation
byMdBelalSharif1
 
PDF
the-courtroom-color.pdf murdoku puzzless
byEduardoPortugal14
 
PPTX
ppt for civil sustainable 1 st year enginnering.pptx
by9c2purnachandra
 
PDF
ECO_Q3_2018_PRE_EN greek economy trito tetramino.pdf
bymranderson131
 
PDF
Market Basket Analysis market basket.pdf
bybakhtawarseerat33
 
PPTX
TISSUE EMBEDDING SYSTEM machine machine machine
byanantcyrix
 
PPTX
Vector Space Modelin Information Storage and Retrieval .pptx
byhermelamisganew
 
PPTX
Universidad de Almería Transcripts
byfin3dbxcn7
 
PDF
15th International Conference on Mobile & Wireless Networks (MoWiN 2026)
byijmnct
 
PPTX
Cranfield University Transcripts
by00rq3cgckh
 
PPTX
Village cropping pattern for croping and working
byspmnroryss
 
PDF
The LLM Revolution: How Foundation Models, Third-Party Services, and Infrastr...
byHugleroevreciBlog
 
PDF
AI 30.pdf Practical Insights from CA Suvidha Chaplot for AI Implementation in...
byCA Suvidha Chaplot
 
PDF
AI_Automation_Infographics_Complete_merged.pdf AI & Automation: Transforming...
byCA Suvidha Chaplot
 
DOCX
An Educational Overview, Historical Context, and Key Lessons for Crypto Users...
bytopsellerit 4543
 
DOCX
A Complete Guide to Secure Cryptocurrency Trading and Digital Asset Managemen...
bytopsellerit 4543
 
Scrum Master V5.2 - Trainer PPT new doc.pptx
byjaladi1231
 
Yellow and Black Futuristic Cloud Computing Presentation.pdf
byrenuanas786
 
Yellow and Black Futuristic Cloud Computing Presentation.pdf
byrenuanas786
 
Generative_AI_Overview - A tale of modern AI
byUnansweredQuestions
 
LinkedIn Lead Generation expert for B2B Lead Generation
byMdBelalSharif1
 
the-courtroom-color.pdf murdoku puzzless
byEduardoPortugal14
 
ppt for civil sustainable 1 st year enginnering.pptx
by9c2purnachandra
 
ECO_Q3_2018_PRE_EN greek economy trito tetramino.pdf
bymranderson131
 
Market Basket Analysis market basket.pdf
bybakhtawarseerat33
 
TISSUE EMBEDDING SYSTEM machine machine machine
byanantcyrix
 
Vector Space Modelin Information Storage and Retrieval .pptx
byhermelamisganew
 
Universidad de Almería Transcripts
byfin3dbxcn7
 
15th International Conference on Mobile & Wireless Networks (MoWiN 2026)
byijmnct
 
Cranfield University Transcripts
by00rq3cgckh
 
Village cropping pattern for croping and working
byspmnroryss
 
The LLM Revolution: How Foundation Models, Third-Party Services, and Infrastr...
byHugleroevreciBlog
 
AI 30.pdf Practical Insights from CA Suvidha Chaplot for AI Implementation in...
byCA Suvidha Chaplot
 
AI_Automation_Infographics_Complete_merged.pdf AI & Automation: Transforming...
byCA Suvidha Chaplot
 
An Educational Overview, Historical Context, and Key Lessons for Crypto Users...
bytopsellerit 4543
 
A Complete Guide to Secure Cryptocurrency Trading and Digital Asset Managemen...
bytopsellerit 4543
 

phantom playbook practice for Automation

  • 1.
    This presentation maycontain forward-looking statements regarding future events, plans or the expected financial performance of our company, including our expectations regarding our products, technology, strategy, customers, markets, acquisitions and investments. These statements reflect management’s current expectations, estimates and assumptions based on the information currently available to us. These forward-looking statements are not guarantees of future performance and involve significant risks, uncertainties and other factors that may cause our actual results, performance or achievements to be materially different from results, performance or achievements expressed or implied by the forward-looking statements contained in this presentation. For additional information about factors that could cause actual results to differ materially from those described in the forward-looking statements made in this presentation, please refer to our periodic reports and other filings with the SEC, including the risk factors identified in our most recent quarterly reports on Form 10-Q and annual reports on Form 10-K, copies of which may be obtained by visiting the Splunk Investor Relations website at www.investors.splunk.com or the SEC's website at www.sec.gov. The forward-looking statements made in this presentation are made as of the time and date of this presentation. If reviewed after the initial presentation, even if made available by us, on our website or otherwise, it may not contain current or accurate information. We disclaim any obligation to update or revise any forward-looking statement based on new information, future events or otherwise, except as required by applicable law. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. We undertake no obligation either to develop the features or functionalities described, in beta or in preview (used interchangeably), or to include any such feature or functionality in a future release. Splunk, Splunk> and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2023 Splunk Inc. All rights reserved. Forward- Looking Statements 03.16.23-15:28
  • 2.
    © 2023 SPLUNKINC. 12 Angry Analysts Tuning Splunk® SOAR Events To Keep Your Analysts Happy (Or at Least Content) SEC1406C Gregory Rivas Chief SOAR Dude | Accenture
  • 3.
    © 2023 SPLUNKINC. Gregory Rivas Chief SOAR Dude | Accenture
  • 4.
    © 2023 SPLUNKINC. Otto Noted Lazy Theropod | AutoSOARus rex
  • 5.
    © 2023 SPLUNKINC. Overview 1. An Overview of Phases 2. The Problem 3. An Answer 4. A Scalable Answer 5. A Mature Answer 6. Demo What we’ll cover They told you not to do an overview slide
  • 6.
    © 2023 SPLUNKINC. Think About Playbooks in PHASES Ingest Initial container standardization Enhancement Reach out to other services to give your container some context Triage Make a decision Response Take action Groups of playbooks should be categorized according to the functions they play in one phase or another tldr: Keep your playbooks in one phase or another and stay modular Report Tell people Splunk SOAR found or did a thing Closure Archive it for later maybe
  • 7.
    © 2023 SPLUNKINC. Ingest Initial container standardization Enhancement Reach out to other services to give your container some context Triage Make a decision Response Take action Report Tell people Splunk® SOAR found or did a thing Closure Archive it for later maybe Your Sales Demo Probably Focused Here
  • 8.
    © 2023 SPLUNKINC. Ingest Initial container standardization Enhancement Reach out to other services to give your container some context Triage Make a decision Response Take action Report Tell people Splunk® SOAR found or did a thing Closure Archive it for later maybe Check out Conf22 for SEC1266B for information about the others (link at the end) Our Talk Today Will Focus Here
  • 9.
    © 2023 SPLUNKINC. Triage 1. Focus Playbooks on deciding I can’t read what’s on the phone
  • 10.
    © 2023 SPLUNKINC. Why is this even on a phone? Triage 1. Focus Playbooks on deciding 2. Put your Humans Here a. Human time is expensive, and slow. Keep prompts, and decisions in ‘Triage’, and to a lesser extent in ‘Response’
  • 11.
    © 2023 SPLUNKINC. Triage 1. Focus Playbooks on deciding 2. Put your Humans Here a. Human time is expensive, and slow. Keep prompts, and decisions in ‘Triage’, and to a lesser extent in ‘Response’ 3. Automation should still play a role in this phase a. Use Splunk® SOAR to do obvious steps b. Use Humans to help with less obvious outcomes
  • 12.
    © 2023 SPLUNKINC. Triage 1. Focus Playbooks on deciding 2. Put your Humans Here a. Human time is expensive, and slow. Keep prompts, and decisions in ‘Triage’, and to a lesser extent in ‘Response’ 3. Automation should still play a role in this phase a. Use Splunk® SOAR to do obvious steps b. Use Humans to help with less obvious outcomes 4. Consider relevant artifacts created during your enrichment phase
  • 13.
    © 2023 SPLUNKINC. The Problem
  • 14.
    © 2023 SPLUNKINC. The Problem The analysts keep getting alerts and they hate it. They somehow think it's our responsibility to close some of them
  • 15.
    © 2023 SPLUNKINC. © 2023 SPLUNK INC. Done When: • Detection == ‘Interesting External Successful Authentication’ • User == greg.rivas • IP == Within South Korea Why does the dog get a hat but not me? The Problem
  • 16.
    © 2023 SPLUNKINC. SOAR Problems The SOC keeps bothering us, and we don't like it. They are always over caffeinated and generally smell bad
  • 17.
    © 2023 SPLUNKINC. Done When: • SOC leaves us alone • SOAR team doesn’t have to do work SOAR Problems
  • 18.
    © 2023 SPLUNKINC. Solution 1 Let's do something obvious!
  • 19.
    © 2023 SPLUNKINC. • Use a Decision! • It’s quick! • It’s easy! Oh no phone anymore? Solution 1
  • 20.
    © 2023 SPLUNKINC. IF: Event Detection == ‘Interesting External Successful Authentication’ AND Event User == greg.rivas AND Event Country IP == Republic of Korea Solution 1
  • 21.
    © 2023 SPLUNKINC. hah this was too easy! Solution 1
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
    © 2023 SPLUNKINC. Solution 1 Lets TRY!
  • 27.
    © 2023 SPLUNKINC. This isn't working Solution 1
  • 28.
    © 2023 SPLUNKINC. The Problem with Solution 1 It's just not scaling well
  • 29.
    © 2023 SPLUNKINC. Like REALLY not scaling well
  • 30.
    © 2023 SPLUNKINC. • Solution 1 SOLVES the Analyst’s Problem. • Solution 1 does NOT solve ANY of our SOAR problems: 1) SOC leaves us alone 2) We don’t want to do work 1) Detection== ‘Interesting External Successful Authentication’ 2) User == ‘Greg.Rivas’ 3) IP == ‘Within South Korea’ Can we make this solution lazier?? The Problem with Solution 1
  • 31.
    © 2023 SPLUNKINC. • Lookups! • We’ll make a table of Country and User pairs • We can now call up this table and return a boolean if a value matches! • SOC can also now ADD ROWS to this lookup by themselves when they get more requests Solution 2
  • 32.
    © 2023 SPLUNKINC. • Solution 2 empowers the SOC to make entries outside of the SOAR dev cycle • It also allows SOC to very rapidly scale up or down the number of exceptions • Our playbook is now easier to read, and no longer changes exception to exception • Exceptions can now trivially scale many times over Solution 2
  • 33.
    © 2023 SPLUNKINC. Insert a custom function behind our fateful decision (This Custom Function will be available for download at the end)
  • 34.
    © 2023 SPLUNKINC. Let’s Configure it • Custom List Name • Value to Search • Column Header to search in (This Custom Function will be available for download at the end) Those arrows aren't even
  • 35.
    © 2023 SPLUNKINC. Solution 2
  • 36.
    © 2023 SPLUNKINC. Now we can revisit our SINGLE decision
  • 37.
    © 2023 SPLUNKINC. Let’s Configure it! • Expected src_country == Event src_country • Expected user == Event user If no match, we treat as normal container If it DOES match…
  • 38.
  • 39.
    © 2023 SPLUNKINC. We did it!! …. Right??
  • 40.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45.
    © 2023 SPLUNKINC. We are not doing 200 playbooks.
  • 46.
    © 2023 SPLUNKINC. The Problem with Solution 2 • SOC now wants us to make even more playbooks in direct violation of SOAR rule 2: ‘We don’t want to do work’ • SOC did NOT mention getting in trouble for mixing up ‘IP Addresses’ and ‘Users’, playing the blame game for who edited the exception lookup we wrote them. • While this is objectively funny to you, you still feel bad because you gave them enough Cat5 cable to DOS themselves Solution 2 was a victim of its own success. Originally solving both SOAR problems, The solution worked so well the SOC wants it for other detections now.
  • 47.
    © 2023 SPLUNKINC. • Solution 2 SOLVES the Analyst’s Problem. • Solution 2 does solve ONE of our SOAR problems: 1) SOC leaves us alone 2) We don’t want to do work 1) Detection== ‘Interesting External Successful Authentication’ 2) User == ‘Greg.Rivas’ 3) IP == ‘Within South Korea’ Can we make this solution lazier?? The Problem with Solution 2
  • 48.
    © 2023 SPLUNKINC. Solution 3 Let's Revisit Solution 2 and see if we can make some improvements
  • 49.
    © 2023 SPLUNKINC. • Lookups! Solution 3
  • 50.
    © 2023 SPLUNKINC. • Lookups! Solution 3
  • 51.
    © 2023 SPLUNKINC. • Lookups! • We’ll make a table of IP and User pairs Solution 3
  • 52.
    © 2023 SPLUNKINC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names Solution 3
  • 53.
    © 2023 SPLUNKINC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! Solution 3
  • 54.
    © 2023 SPLUNKINC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns Solution 3
  • 55.
    © 2023 SPLUNKINC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns • SOC can also now ADD ROWS to this lookup by themselves when they get another request Solution 3
  • 56.
    © 2023 SPLUNKINC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns • SOC can also now ADD ROWS to this lookup by themselves when they get another request • New meta fields allow for a JIRA ticket number to be included, line match statistics, and some resolution language Solution 3
  • 57.
    © 2023 SPLUNKINC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns • SOC can also now ADD ROWS to this lookup by themselves when they get another request • New meta fields allow for a JIRA ticket number to be included, line match statistics, and some resolution language • List now includes timestamp of first and last rule match Solution 3
  • 58.
    © 2023 SPLUNKINC. • Lookups! • We’ll make a table of IP and User pairs with relevant field names • We can now call up this table and return a boolean if a value matches! • Playbook now allows field values to be RegEx compliant, allowing for wild card matches or other patterns • SOC can also now ADD ROWS to this lookup by themselves when they get another request • New meta fields allow for a JIRA ticket number to be included, line match statistics, and some resolution language • List now includes timestamp of first and last rule match • Playbook echoes a copy of the matching rule and line in closure notes and as a note in the container in case rule changes Solution 3
  • 59.
  • 60.
  • 61.
    © 2023 SPLUNKINC. This is literally the only thing the analysts care about… So uncultured!
  • 62.
    © 2023 SPLUNKINC. Solution 3
  • 63.
    © 2023 SPLUNKINC. • Solution 3 SOLVES the Analyst’s Problem. • Solution 3 SOLVES the SOAR problems: 1) SOC leaves us alone 2) We dont want to do work 1) Detection== ‘Interesting External Successful Authentication’ 2) User == ‘Greg.Rivas’ 3) IP == ‘Within South Korea’ Solution 3
  • 64.
    © 2023 SPLUNKINC. SOC now: • Has only one lookup table to worry about Solution 3
  • 65.
    © 2023 SPLUNKINC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules Solution 3
  • 66.
    © 2023 SPLUNKINC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist Solution 3
  • 67.
    © 2023 SPLUNKINC. My favorite one! SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist • Can write their own rules without bothering us SOAR folk Solution 3
  • 68.
    © 2023 SPLUNKINC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist • Can write their own rules without bothering us SOAR folk • Are now required to have a JIRA ticket history for the rule they write, which is used in the closure notes Solution 3
  • 69.
    © 2023 SPLUNKINC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist • Can write their own rules without bothering us SOAR folk • Are now required to have a JIRA ticket history for the rule they write, which is used in the closure notes • Can auto close tickets using text contained in the lookup, not a generic closure note Solution 3
  • 70.
    © 2023 SPLUNKINC. SOC now: • Has only one lookup table to worry about • Has a table that can scale to hundreds of unique rules • Can write an autoclosure lookup rule for ANY detection that exists or could exist • Can write their own rules without bothering us SOAR folk • Are now required to have a JIRA ticket history for the rule they write, which is used in the closure notes • Can auto close tickets using text contained in the lookup, not a generic closure note • Gets a note auto-created when a rule matches, containing the matching line from the lookup Solution 3
  • 71.
    © 2023 SPLUNKINC. But SOAR gets some wins from this too! Solution 3
  • 72.
    © 2023 SPLUNKINC. SOAR Now: • Does not have to worry about modifying playbooks for every exception from SOC Solution 3
  • 73.
    © 2023 SPLUNKINC. SOAR Now: • Does not have to worry about modifying playbooks for every exception from SOC • Has an audit trail in JIRA of such modifications or additions to the table Solution 3
  • 74.
    © 2023 SPLUNKINC. SOAR Now: • Does not have to worry about modifying playbooks for every exception from SOC • Has an audit trail in JIRA of such modifications or additions to the table • Knows exactly what rule matched and closed the alert at the time of auto-closure Solution 3
  • 75.
    © 2023 SPLUNKINC. SOAR Now: • Does not have to worry about modifying playbooks for every exception from SOC • Has an audit trail in JIRA of such modifications or additions to the table • Knows exactly what rule matched and closed the alert at the time of auto-closure Can you summarize this better? Solution 3
  • 76.
    © 2023 SPLUNKINC. Thank You Using Splunk® SOAR, we were able to empower SOC to move at speed, outside the confines that limit standard DevOps
  • 77.
    © 2023 SPLUNKINC. WAY too Salesy
  • 78.
    © 2023 SPLUNKINC. Thank You We don’t have to listen to the SOC complain at SOAR about false positives anymore!
  • 79.
    © 2023 SPLUNKINC. Demo Video
  • 80.
    © 2023 SPLUNKINC. Git Link is listed below Greg Rivas https://beacons.ai/not_greg
  • 81.
    © 2023 SPLUNKINC. Thank You