"Splunk SOAR User Group: Automation Use Cases" Deck from 22SEP21

1. © 2 0 2 1 S P L U N K I N C .
Splunk SOAR User Group:
Automation Use Cases
Eric Gardner (Splunk) – Sr. Solutions Engineer
Public Sector - DoD

2. During the course of this presentation, we may make forward-looking statements regarding
future events or plans of the company. We caution you that such statements reflect our
current expectations and estimates based on factors currently known to us and that actual
events or results may differ materially. The forward-looking statements made in the this
presentation are being made as of the time and date of its live presentation. If reviewed after
its live presentation, it may not contain current or accurate information. We do not assume
any obligation to update any forward-looking statements made herein.
In addition, any information about our roadmap outlines our general product direction and is
subject to change at any time without notice. It is for informational purposes only, and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation
either to develop the features or functionalities described or to include any such feature or
functionality in a future release.
Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk
Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States
and other countries. All other brand names, product names, or trademarks belong to their
respective owners. © 2021 SPLUNK Inc. All rights reserved.
Forward-
Looking
Statements
© 2 0 2 1 S P L U N K I N C .

3. © 2 0 2 1 S P L U N K I N C .
Agenda
Ø User Groups – how they should work
Ø Introductions
Ø A little about me
Ø A little about you
Ø Splunk SOAR (formerly known as Phantom)
Ø Git behind the scenes
Ø Automation Use Cases
Ø Splunk’s Stories
Ø Your Stories
Ø Wrap-up
Ø User groups going forward

4. © 2 0 2 1 S P L U N K I N C .
Splunk User Groups
Splunk User Groups (Splunk UGs) are independently run, Splunk-
supported groups that hold events where Splunk Users of all levels and
interests come together in a casual environment to learn, teach, and
connect with one another.
Key Points:
• Connect!!!
• Learn from each other
• We want to hear how you’re using Splunk
• Splunkers (like your SE and CSM) are here to help

5. © 2 0 2 1 S P L U N K I N C .
#whoami
Eric Gardner ericg@splunk.com
• 20+ years in IT (ITOPS focus)
• Worked with DoD/INTEL since leaving the Army in 1999.
• Spend my time traveling and usually planning travel when
not actually doing it. Lately spending lots of time fighting
bamboo.
• Based out of Bridgton, ME (that’s about 1 hour north-west
of Portland and Stephen King’s stomping grounds)

6. © 2 0 2 1 S P L U N K I N C .

7. © 2 0 2 1 S P L U N K I N C .
Git’er Done
Yep, Git’s in there
You can save your Splunk Phantom playbooks in Git repositories. By
default, playbooks are managed in a Git repository called local. You can
create additional Git repositories as needed. Doing so enables you to
perform the following tasks:
• Import and export playbooks and share facilities among Splunk
Phantom instances. (Example: Publish from Dev to Prod)
• Edit playbooks using a tool of your choice instead of the Splunk
Phantom web interface.

8. © 2 0 2 1 S P L U N K I N C .
Automation Use Cases
Today we are going to discuss:
👉 The five most common use cases for SOAR.
👉 How a SOAR solution can help your analysts tackle the most repetitive tasks.
👉 How to automate these steps using a pre-built playbook from Splunk SOAR
Get the eBook here:
https://www.splunk.com/en_us/form/5-automation-use-cases-for-splunk-soar.html

9. © 2 0 2 1 S P L U N K I N C .
Alert Enrichment
The Recorded Future Indicator Enrichment Playbook enriches
ingested events that contain file hashes, IP addresses, domain names
or URLs. Contextualizing these details around relevant threat
intelligence and IOC helps accelerate the investigation.
The actions available in this playbook include:
1. Domain intelligence: Get threat intelligence for a domain
2. File intelligence: Get threat intelligence for a file identified by its
hash
3. IP intelligence: Get threat intelligence for an IP address
4. URL intelligence: Get threat intelligence for a URL

10. © 2 0 2 1 S P L U N K I N C .
Phishing Investigation and Response
The Phishing Investigate and Respond Playbook investigates incoming phishing emails and
contains them automatically.
The actions available in this playbook include:
1. File reputation: Queries VirusTotal for file reputation information
2. URL reputation: Submits a single website link for WildFire verdict
3. Domain reputation: Evaluates the risk of a given domain
4. IP reputation: Queries VirusTotal for IP information
5. Geolocate IP address: Queries MaxMind for IP location information
6. Determine whois domain: Execute a whois lookup on the given domain
7. Determine whois IP: Execute a whois lookup on the given IP
Then, the playbook will continue to gather information on the attached file and
URL from the email and launch these two actions:
8. Detonate file: Run the file in the Threat Grid sandbox and retrieve the analysis
9. Detonate URL: Load the URL in the Threat Grid sandbox and retrieve the analysis

11. © 2 0 2 1 S P L U N K I N C .
Endpoint Malware Triage
The Crowdstrike Malware Triage Playbook can respond to a high volume of endpoint alerts, filters out the false
positives, determines risk level, provides an analyst with all the details to choose how to respond and finally handles
the threat based on the analyst’s response.
The actions available in this playbook include:
1. Get indicator: Get an IOC by providing a type and value
2. Get process detail : Retrieve the details of a process that is running or that previously ran, given a process ID
3. Get system info: Get details of a device, given the device ID
4. Hunt file: Hunt for a file on the network by querying for the hash
5. List processes: List processes that have recently used the IOC on a particular device
6. Quarantine device: Block the device
7. Upload indicator: Upload one or more indicators that you want CrowdStrike to watch

12. © 2 0 2 1 S P L U N K I N C .
Command and Control:
Investigation and Containment
The C2 Investigate and Contain Playbook is designed to perform the investigative and potential
containment steps required to properly handle a command-and-control attack scenario.
The actions available in this playbook include:
1. Block hash: Add a hash to the Carbon Black blacklist
2. Block IP: Block an IP
3. Find malware: Execute the malfind volatility plugin to find injected code/dlls in user mode memory
4. Geolocate IP: Queries MaxMind for IP location info
5. Get process file: Extracts the process file from the memory dump
6. Get report: Get further details about an AutoFocus tag
7. Hunt IP: Hunt an IP and retrieve a list of associated tags
8. List VM(s): Get the list of registered VM(s)
9. Send email: Send an email
10.Snapshot VM(s): Take a snapshot of the VM(s)
11.Terminate process: Kill running processes on a machine
12.Whois IP: Execute a whois lookup on the given IP

13. © 2 0 2 1 S P L U N K I N C .
Threat Intelligence
The Recorded Future Correlation Response Playbook is used to gather more context about relevant
network indicators.
The actions in this playbook include:
1. Block IP: Blocks an IP network
2. Domain Intelligence: Get threat intelligence for a domain
3. IP Intelligence: Get threat intelligence for an IP address

14. © 2 0 2 1 S P L U N K I N C .
Bonus: Block with Zscaler
Once the analyst is able to block the network access via the Recorded Future Correlation Response
Playbook, Splunk SOAR can trigger a second playbook to investigate, hunt and block a URL.
When a suspicious URL is detected, the Zscaler Hunt and Block URL Playbook can be used to identify
internal devices that have accessed that URL and triage the organizational importance of those devices.
Then, depending on the maliciousness of the URL and whether or not the affected device belongs to an
executive in the organization, the URL will be blocked and an appropriate ServiceNow ticket will be created.
The actions in this playbook include:
1. Block URL: Block a URL
2. Create ticket: Create an incident
3. Get user attributes: Gets the attributes of a user
4. Lookup URL: Lookup the categories related to a URL
5. Quarantine device: Quarantine the endpoint
6. Run query: Gets object data according to the specified query
7. URL reputation: Queries VirusTotal for URL info

15. © 2 0 2 1 S P L U N K I N C .
Wrap-up