Empowering Your Splunk SOAR: Enriching with Splunk Enterprise Events for Next-Level Security Optimization
This post was authored by Detecx team NetbyteSec
This blogpost is highlighting on a journey of the powerful collaboration between Splunk Enterprise and Splunk SOAR. We will explore the essential process of ingesting security events from Splunk Enterprise to Splunk SOAR. Discover how this integration creates a complete security solution, not just analyzing events but also automating responses for a more proactive approach.
Splunk SOAR User Configuration
|Figure 1: Splunk SOAR user configuration
For the first step on the Splunk SOAR instance, it is necessary to setup the user configuration and also to get the authentication token value for the user which later will be used in the Splunk Enterprise instance. "Allowed IPs" value need to be specify for allowed address to communicate with this Splunk SOAR instance which is our Splunk Enterprise IP server. User's role also can be assigned in this user configuration settings.
Splunk Enterprise Apps Configuration
Next, download the Splunk App for SOAR Export (https://splunkbase.splunk.com/app/3411) to integrate Splunk Enterprise with Splunk SOAR.
|Figure 2: Create server SOAR
Create server SOAR configuration
1) Login to your Splunk Enterprise web
2) Go to Splunk App for SOAR Export and navigate to menu "Configurations"
3) "Create Server" and key in information needed
Next, copy the authorization token from Splunk SOAR instance and paste into field Authorization Configuration. This allow user to control access to specific functionalities within this two instance if the connection success.
|Figure 3: Indicator success and fail connectivity
|Figure 4: List SOAR servers
There will be indicator that will indicates if the connectivity between Splunk Enterprise server and Splunk SOAR is successful or not. After finish the creation of SOAR server, it will shows the successful configured servers.
There are 2 ways to forward the event which are through Saved Search and Data Model export. In this blogpost, NBS team will demonstrate on the Saved Search.
|Figure 5: Create correlation search
Follow below steps to create correlation search.
1) Login to Splunk Enterprise web
2) Navigate to app Enterprise Security
3) Go to menu Configure > Content > Content Management
4) Create New Content and select Correlation Search
|Figure 6: Saved Search Export
For this saved search configuration, firstly user must create a saved search. For example, NBS team created a correlation search on Splunk ES under Security Domain Threat. Detail of the correlation search:
Name: Suspicious user action in server Console
Description: Detection based on Auditd log
SPL: sourcetype="linux:audit" type=EXECVE | search a0=useradd | table host, a0, a1 | rename a0 AS "Command First", a1 AS "Command Second"
|Figure 7: Preview for saved search export
Select the field you want to map in the Search Fields column and map it to a CEF Fields column. Review your saved search data then send to SOAR instance.
|Figure 8: Splunk SOAR events
Lastly, review your forwarded saved search event in the SOAR events.
In conclusion, forwarding data to Splunk SOAR emerges as an important strategy in enhancing security operation and incident response capability. With integrating different data sources and automating response actions, Splunk SOAR empowers security team to effectively triage, investigate and respond to incident in a efficient manner.
The next topic to be discussed is the capability of Splunk SOAR to automate processes through its playbooks.