Empowering Your Splunk SOAR: Enriching with Splunk Enterprise Events for Next-Level Security Optimization

This post was authored by Detecx team NetbyteSec


This blogpost is highlighting on a journey of the powerful collaboration between Splunk Enterprise and Splunk SOAR. We will explore the essential process of ingesting security events from Splunk Enterprise to Splunk SOAR. Discover how this integration creates a complete security solution, not just analyzing events but also automating responses for a more proactive approach.

Splunk SOAR User Configuration

Figure 1: Splunk SOAR user configuration

For the first step on the Splunk SOAR instance, it is necessary to setup the user configuration and also to get the authentication token value for the user which later will be used in the Splunk Enterprise instance. "Allowed IPs" value need to be specify for allowed address to communicate with this Splunk SOAR instance which is our Splunk Enterprise IP server. User's role also can be assigned in this user configuration settings.

Splunk Enterprise Apps Configuration

Next, download the Splunk App for SOAR Export (https://splunkbase.splunk.com/app/3411) to integrate Splunk Enterprise with Splunk SOAR.

Figure 2: Create server SOAR

Create server SOAR configuration

1) Login to your Splunk Enterprise web 

2) Go to Splunk App for SOAR Export and navigate to menu "Configurations"

3) "Create Server" and key in information needed

Next, copy the authorization token from Splunk SOAR instance and paste into field Authorization Configuration. This allow user to control access to specific functionalities within this two instance if the connection success.

Figure 3: Indicator success and fail connectivity
Figure 4: List SOAR servers

There will be indicator that will indicates if the connectivity between Splunk Enterprise server and Splunk SOAR is successful or not. After finish the creation of SOAR server, it will shows the successful configured servers. 

Forward Events

There are 2 ways to forward the event which are through Saved Search and Data Model export. In this blogpost, NBS team will demonstrate on the Saved Search.

Figure 5: Create correlation search

Follow below steps to create correlation search.

1) Login to Splunk Enterprise web 

2) Navigate to app Enterprise Security

3) Go to menu Configure > Content > Content Management

4) Create New Content and select Correlation Search

Figure 6: Saved Search Export

For this saved search configuration, firstly user must create a saved search. For example, NBS team created a correlation search on Splunk ES under Security Domain Threat. Detail of the correlation search:

Name: Suspicious user action in server Console

Description: Detection based on Auditd log

SPL: sourcetype="linux:audit" type=EXECVE | search a0=useradd | table host, a0, a1 | rename a0 AS "Command First", a1 AS "Command Second"

Figure 7: Preview for saved search export

Select the field you want to map in the Search Fields column and map it to a CEF Fields column. Review your saved search data then send to SOAR instance. 

Figure 8: Splunk SOAR events

Lastly, review your forwarded saved search event in the SOAR events.

In conclusion, forwarding data to Splunk SOAR emerges as an important strategy in enhancing security operation and incident response capability. With integrating different data sources and automating response actions, Splunk SOAR empowers security team to effectively triage, investigate and respond to incident in a efficient manner.

The next topic to be discussed is the capability of Splunk SOAR to automate processes through its playbooks.