Submit Search
Upload
Ug soar 22sep21
•
0 likes
•
113 views
E
Eric Gardner
Follow
"Splunk SOAR User Group: Automation Use Cases" Deck from 22SEP21
Read less
Read more
Technology
Report
Share
Report
Share
1 of 15
Download now
Download to read offline
Recommended
Deploying Splunk on OpenShift
Deploying Splunk on OpenShift
Eric Gardner
Deploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data In
Eric Gardner
.conf21 Recommended Sessions
.conf21 Recommended Sessions
Splunk
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
jenny_splunk
Best of Conf21 - Apietsch
Best of Conf21 - Apietsch
Splunk
Recommended .conf21 Sessions
Recommended .conf21 Sessions
Splunk
Observe 2020-d mc
Observe 2020-d mc
Dave McAllister
Final observability starts_with_data
Final observability starts_with_data
Dave McAllister
Recommended
Deploying Splunk on OpenShift
Deploying Splunk on OpenShift
Eric Gardner
Deploying Splunk on OpenShift – Part2 : Getting Data In
Deploying Splunk on OpenShift – Part2 : Getting Data In
Eric Gardner
.conf21 Recommended Sessions
.conf21 Recommended Sessions
Splunk
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
Daten anonymisieren und pseudonymisieren in Splunk Enterprise
jenny_splunk
Best of Conf21 - Apietsch
Best of Conf21 - Apietsch
Splunk
Recommended .conf21 Sessions
Recommended .conf21 Sessions
Splunk
Observe 2020-d mc
Observe 2020-d mc
Dave McAllister
Final observability starts_with_data
Final observability starts_with_data
Dave McAllister
Lisbon Splunk User Group - Session 1
Lisbon Splunk User Group - Session 1
Diogo Filipe Silva
Juliet Hougland, Data Scientist, Cloudera at MLconf NYC
Juliet Hougland, Data Scientist, Cloudera at MLconf NYC
MLconf
PuppetConf 2017: Moving faster with Puppet & Splunk- Hal Rottenberg, Andrew B...
PuppetConf 2017: Moving faster with Puppet & Splunk- Hal Rottenberg, Andrew B...
Puppet
Liberate your Application Logging
Liberate your Application Logging
Glenn Block
Splunk
Splunk
Douglas Bernardini
LUNA - Lessons in cloud based workflow: Universal & ETC by Guillaume Aubchon ...
LUNA - Lessons in cloud based workflow: Universal & ETC by Guillaume Aubchon ...
ETCenter
HTTP Event Collector, Simplified Developer Logging
HTTP Event Collector, Simplified Developer Logging
Glenn Block
Running Apache Spark on Kubernetes
Running Apache Spark on Kubernetes
DoKC
The future of Data on Kubernetes
The future of Data on Kubernetes
DoKC
Webinar Registration Getting Started with Building Your First IoT App
Webinar Registration Getting Started with Building Your First IoT App
InfluxData
Customer Presentation - Cerner
Customer Presentation - Cerner
Splunk
Mistral and StackStorm
Mistral and StackStorm
Dmitri Zimine
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
Pôle Systematic Paris-Region
How to over-engineer things and have fun? Building a modern, distributed real...
How to over-engineer things and have fun? Building a modern, distributed real...
Oto Brglez
Best of .conf21 Session Recommendations
Best of .conf21 Session Recommendations
Splunk
How to Streamline Incident Response with InfluxDB, PagerDuty and Rundeck
How to Streamline Incident Response with InfluxDB, PagerDuty and Rundeck
InfluxData
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
GetInData
Kubernetes and real-time analytics - how to connect these two worlds with Apa...
Kubernetes and real-time analytics - how to connect these two worlds with Apa...
GetInData
How to Use Telegraf and Its Plugin Ecosystem
How to Use Telegraf and Its Plugin Ecosystem
InfluxData
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
Jose Hernandez
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
Getting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
More Related Content
What's hot
Lisbon Splunk User Group - Session 1
Lisbon Splunk User Group - Session 1
Diogo Filipe Silva
Juliet Hougland, Data Scientist, Cloudera at MLconf NYC
Juliet Hougland, Data Scientist, Cloudera at MLconf NYC
MLconf
PuppetConf 2017: Moving faster with Puppet & Splunk- Hal Rottenberg, Andrew B...
PuppetConf 2017: Moving faster with Puppet & Splunk- Hal Rottenberg, Andrew B...
Puppet
Liberate your Application Logging
Liberate your Application Logging
Glenn Block
Splunk
Splunk
Douglas Bernardini
LUNA - Lessons in cloud based workflow: Universal & ETC by Guillaume Aubchon ...
LUNA - Lessons in cloud based workflow: Universal & ETC by Guillaume Aubchon ...
ETCenter
HTTP Event Collector, Simplified Developer Logging
HTTP Event Collector, Simplified Developer Logging
Glenn Block
Running Apache Spark on Kubernetes
Running Apache Spark on Kubernetes
DoKC
The future of Data on Kubernetes
The future of Data on Kubernetes
DoKC
Webinar Registration Getting Started with Building Your First IoT App
Webinar Registration Getting Started with Building Your First IoT App
InfluxData
Customer Presentation - Cerner
Customer Presentation - Cerner
Splunk
Mistral and StackStorm
Mistral and StackStorm
Dmitri Zimine
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
Pôle Systematic Paris-Region
How to over-engineer things and have fun? Building a modern, distributed real...
How to over-engineer things and have fun? Building a modern, distributed real...
Oto Brglez
Best of .conf21 Session Recommendations
Best of .conf21 Session Recommendations
Splunk
How to Streamline Incident Response with InfluxDB, PagerDuty and Rundeck
How to Streamline Incident Response with InfluxDB, PagerDuty and Rundeck
InfluxData
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
GetInData
Kubernetes and real-time analytics - how to connect these two worlds with Apa...
Kubernetes and real-time analytics - how to connect these two worlds with Apa...
GetInData
How to Use Telegraf and Its Plugin Ecosystem
How to Use Telegraf and Its Plugin Ecosystem
InfluxData
What's hot
(19)
Lisbon Splunk User Group - Session 1
Lisbon Splunk User Group - Session 1
Juliet Hougland, Data Scientist, Cloudera at MLconf NYC
Juliet Hougland, Data Scientist, Cloudera at MLconf NYC
PuppetConf 2017: Moving faster with Puppet & Splunk- Hal Rottenberg, Andrew B...
PuppetConf 2017: Moving faster with Puppet & Splunk- Hal Rottenberg, Andrew B...
Liberate your Application Logging
Liberate your Application Logging
Splunk
Splunk
LUNA - Lessons in cloud based workflow: Universal & ETC by Guillaume Aubchon ...
LUNA - Lessons in cloud based workflow: Universal & ETC by Guillaume Aubchon ...
HTTP Event Collector, Simplified Developer Logging
HTTP Event Collector, Simplified Developer Logging
Running Apache Spark on Kubernetes
Running Apache Spark on Kubernetes
The future of Data on Kubernetes
The future of Data on Kubernetes
Webinar Registration Getting Started with Building Your First IoT App
Webinar Registration Getting Started with Building Your First IoT App
Customer Presentation - Cerner
Customer Presentation - Cerner
Mistral and StackStorm
Mistral and StackStorm
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
OSIS18_IoT : Ada and SPARK - Defense in Depth for Safe Micro-controller Progr...
How to over-engineer things and have fun? Building a modern, distributed real...
How to over-engineer things and have fun? Building a modern, distributed real...
Best of .conf21 Session Recommendations
Best of .conf21 Session Recommendations
How to Streamline Incident Response with InfluxDB, PagerDuty and Rundeck
How to Streamline Incident Response with InfluxDB, PagerDuty and Rundeck
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
Model serving made easy using Kedro pipelines - Mariusz Strzelecki, GetInData
Kubernetes and real-time analytics - how to connect these two worlds with Apa...
Kubernetes and real-time analytics - how to connect these two worlds with Apa...
How to Use Telegraf and Its Plugin Ecosystem
How to Use Telegraf and Its Plugin Ecosystem
Similar to Ug soar 22sep21
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
Jose Hernandez
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
Splunk
Getting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
Splunk
Splunk
Knoldus Inc.
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
Jose Hernandez
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
Splunk
Security Automation & Orchestration
Security Automation & Orchestration
Splunk
Splunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT Operations
Timur Bagirov
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
Splunk
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
Harry McLaren
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Splunk
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
Splunk
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics Methods
Splunk
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
Getting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
Getting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Shannon Cuthbertson
A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3
Glenn Block
Similar to Ug soar 22sep21
(20)
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise Hands-On Breakout Session
Getting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Splunk
Splunk
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk for Enterprise Security featuring User Behavior Analytics
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
How to Make a Honeypot Stickier (SSH*)
How to Make a Honeypot Stickier (SSH*)
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
SplunkLive! Frankfurt 2018 - Intro to Security Analytics Methods
Security Automation & Orchestration
Security Automation & Orchestration
Splunk in Nordstrom: IT Operations
Splunk in Nordstrom: IT Operations
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
SplunkLive! Zurich 2018: Intro to Security Analytics Methods
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk .conf18 Updates, Config Add-on, SplDevOps
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Getting Started with Splunk Breakout Session
Getting Started with Splunk Breakout Session
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Munich 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Getting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3
Recently uploaded
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Softradix Technologies
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
soniya singh
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Maria Levchenko
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
HostedbyConfluent
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
LBM Solutions
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
AndikSusilo4
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Recently uploaded
(20)
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Ug soar 22sep21
1.
© 2 0
2 1 S P L U N K I N C . Splunk SOAR User Group: Automation Use Cases Eric Gardner (Splunk) – Sr. Solutions Engineer Public Sector - DoD
2.
During the course
of this presentation, we may make forward-looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2021 SPLUNK Inc. All rights reserved. Forward- Looking Statements © 2 0 2 1 S P L U N K I N C .
3.
© 2 0
2 1 S P L U N K I N C . Agenda Ø User Groups – how they should work Ø Introductions Ø A little about me Ø A little about you Ø Splunk SOAR (formerly known as Phantom) Ø Git behind the scenes Ø Automation Use Cases Ø Splunk’s Stories Ø Your Stories Ø Wrap-up Ø User groups going forward
4.
© 2 0
2 1 S P L U N K I N C . Splunk User Groups Splunk User Groups (Splunk UGs) are independently run, Splunk- supported groups that hold events where Splunk Users of all levels and interests come together in a casual environment to learn, teach, and connect with one another. Key Points: • Connect!!! • Learn from each other • We want to hear how you’re using Splunk • Splunkers (like your SE and CSM) are here to help
5.
© 2 0
2 1 S P L U N K I N C . #whoami Eric Gardner ericg@splunk.com • 20+ years in IT (ITOPS focus) • Worked with DoD/INTEL since leaving the Army in 1999. • Spend my time traveling and usually planning travel when not actually doing it. Lately spending lots of time fighting bamboo. • Based out of Bridgton, ME (that’s about 1 hour north-west of Portland and Stephen King’s stomping grounds)
6.
© 2 0
2 1 S P L U N K I N C .
7.
© 2 0
2 1 S P L U N K I N C . Git’er Done Yep, Git’s in there You can save your Splunk Phantom playbooks in Git repositories. By default, playbooks are managed in a Git repository called local. You can create additional Git repositories as needed. Doing so enables you to perform the following tasks: • Import and export playbooks and share facilities among Splunk Phantom instances. (Example: Publish from Dev to Prod) • Edit playbooks using a tool of your choice instead of the Splunk Phantom web interface.
8.
© 2 0
2 1 S P L U N K I N C . Automation Use Cases Today we are going to discuss: 👉 The five most common use cases for SOAR. 👉 How a SOAR solution can help your analysts tackle the most repetitive tasks. 👉 How to automate these steps using a pre-built playbook from Splunk SOAR Get the eBook here: https://www.splunk.com/en_us/form/5-automation-use-cases-for-splunk-soar.html
9.
© 2 0
2 1 S P L U N K I N C . Alert Enrichment The Recorded Future Indicator Enrichment Playbook enriches ingested events that contain file hashes, IP addresses, domain names or URLs. Contextualizing these details around relevant threat intelligence and IOC helps accelerate the investigation. The actions available in this playbook include: 1. Domain intelligence: Get threat intelligence for a domain 2. File intelligence: Get threat intelligence for a file identified by its hash 3. IP intelligence: Get threat intelligence for an IP address 4. URL intelligence: Get threat intelligence for a URL
10.
© 2 0
2 1 S P L U N K I N C . Phishing Investigation and Response The Phishing Investigate and Respond Playbook investigates incoming phishing emails and contains them automatically. The actions available in this playbook include: 1. File reputation: Queries VirusTotal for file reputation information 2. URL reputation: Submits a single website link for WildFire verdict 3. Domain reputation: Evaluates the risk of a given domain 4. IP reputation: Queries VirusTotal for IP information 5. Geolocate IP address: Queries MaxMind for IP location information 6. Determine whois domain: Execute a whois lookup on the given domain 7. Determine whois IP: Execute a whois lookup on the given IP Then, the playbook will continue to gather information on the attached file and URL from the email and launch these two actions: 8. Detonate file: Run the file in the Threat Grid sandbox and retrieve the analysis 9. Detonate URL: Load the URL in the Threat Grid sandbox and retrieve the analysis
11.
© 2 0
2 1 S P L U N K I N C . Endpoint Malware Triage The Crowdstrike Malware Triage Playbook can respond to a high volume of endpoint alerts, filters out the false positives, determines risk level, provides an analyst with all the details to choose how to respond and finally handles the threat based on the analyst’s response. The actions available in this playbook include: 1. Get indicator: Get an IOC by providing a type and value 2. Get process detail : Retrieve the details of a process that is running or that previously ran, given a process ID 3. Get system info: Get details of a device, given the device ID 4. Hunt file: Hunt for a file on the network by querying for the hash 5. List processes: List processes that have recently used the IOC on a particular device 6. Quarantine device: Block the device 7. Upload indicator: Upload one or more indicators that you want CrowdStrike to watch
12.
© 2 0
2 1 S P L U N K I N C . Command and Control: Investigation and Containment The C2 Investigate and Contain Playbook is designed to perform the investigative and potential containment steps required to properly handle a command-and-control attack scenario. The actions available in this playbook include: 1. Block hash: Add a hash to the Carbon Black blacklist 2. Block IP: Block an IP 3. Find malware: Execute the malfind volatility plugin to find injected code/dlls in user mode memory 4. Geolocate IP: Queries MaxMind for IP location info 5. Get process file: Extracts the process file from the memory dump 6. Get report: Get further details about an AutoFocus tag 7. Hunt IP: Hunt an IP and retrieve a list of associated tags 8. List VM(s): Get the list of registered VM(s) 9. Send email: Send an email 10.Snapshot VM(s): Take a snapshot of the VM(s) 11.Terminate process: Kill running processes on a machine 12.Whois IP: Execute a whois lookup on the given IP
13.
© 2 0
2 1 S P L U N K I N C . Threat Intelligence The Recorded Future Correlation Response Playbook is used to gather more context about relevant network indicators. The actions in this playbook include: 1. Block IP: Blocks an IP network 2. Domain Intelligence: Get threat intelligence for a domain 3. IP Intelligence: Get threat intelligence for an IP address
14.
© 2 0
2 1 S P L U N K I N C . Bonus: Block with Zscaler Once the analyst is able to block the network access via the Recorded Future Correlation Response Playbook, Splunk SOAR can trigger a second playbook to investigate, hunt and block a URL. When a suspicious URL is detected, the Zscaler Hunt and Block URL Playbook can be used to identify internal devices that have accessed that URL and triage the organizational importance of those devices. Then, depending on the maliciousness of the URL and whether or not the affected device belongs to an executive in the organization, the URL will be blocked and an appropriate ServiceNow ticket will be created. The actions in this playbook include: 1. Block URL: Block a URL 2. Create ticket: Create an incident 3. Get user attributes: Gets the attributes of a user 4. Lookup URL: Lookup the categories related to a URL 5. Quarantine device: Quarantine the endpoint 6. Run query: Gets object data according to the specified query 7. URL reputation: Queries VirusTotal for URL info
15.
© 2 0
2 1 S P L U N K I N C . Wrap-up
Download now