You’ve had an SIEM for a while, it’s doing well, and now you want to take that to the next level. That often means time savings and automation. And when you want to automate your security responses, the best solution is a SOAR product (formerly known as Splunk Phantom).
What is Splunk SOAR (Formerly Splunk Phantom)?
Splunk Enterprise Security (ES) is Splunk’s SIEM (Security Incident and Event Management) system. ES is the centerpiece of any Splunk security solution. Yet, there are limitations to ES. Namely, it is human-centric and finds the problems but doesn’t correct them. But there is a way. Splunk acquired a SOAR (Security, Orchestration, Automation, and Response) tool known as Phantom.
Why is Splunk Phantom now called Splunk SOAR?
The tool was initially sold as Splunk Phantom but is now called Splunk SOAR. Using Splunk SOAR opens the world of ES to performing computer-driven responses, empowering security analysts to affect change, and creating repeatable processes and reactions.
What does SOAR stand for?
SOAR stands for Security, Orchestration, Automation, and Response.
Security: The intended use of Splunk SOAR is for security use cases. It can do other things but is intended to tie into Enterprise Security.
Orchestration: SOAR enabled multiple tools to share information or work together. Instead of analysts logging into each device separately, these tasks are joined together.
Automation: Splunk SOAR is about automating things. Why retype the same things, or perform the same actions, when these can be saved into a playbook and executed?
Response: Speed matters during security incidents. Splunk SOAR speeds response time. Instead of waiting for human intervention, an automated playbook executes when meeting the criteria. An automatic response is where Splunk’s marketing term of turning 30 minutes into 30 seconds is proven true.
Why use Splunk SOAR?
Splunk SOAR (Formerly Phantom) is the SOAR product in the Splunk security offering. SOAR tools reduce risk, increase resolution speed, and save everyone’s effort. Splunk SOAR uses playbooks, either ones already created by the community or custom ones your organization produces. These playbooks can run scripts, create tickets, update Splunk, query users, etc.
- Response Speed: Using Splunk SOAR, the correlation searches that discover the issue in Enterprise Security optionally automatically kick off playbooks. Even if you decide to keep the Security Analysts involved, SOAR significantly reduces the amount of time that passes from when an Analyst confirms the issue to getting the issue corrected.
- Empowering Users: Often, the people who identify the issue and those who correct it are different actors. Imagine the Security Analyst who uncovers a need to update the proxy servers. That analyst must create a ticket with another team to perform the correction. A well-orchestrated playbook, designed in conjunction with the proxy admins, would enable the Security Analyst to complete the fix without involving the other team.
- Repeatability: A repeatedly executed playbook will likely have fewer mistakes than hand-run corrections. The errors that do happen are easier to correct, so future runs of the playbook are more stable and likely to fix the issue.
Apps in Splunk SOAR
Splunk SOAR uses apps to provide connectivity to other products and services. These apps allow for integration between SOAR and those products. Apps are downloaded from Splunkbase using a filter set for Splunk SOAR.
When wishing to integrate between other systems and SOAR, always check to see if there is an existing app. The time savings alone will make it worthwhile. For example, if I have a Cisco ISE, I can use the Cisco ISE SOAR App, which comes with a bunch of built-in supported actions. Why waste a lot of time for no reason?
Playbooks – Using Existing and Creating New
The power in Splunk SOAR comes from using playbooks. These playbooks are sets of actions that we build into a logical flow. Depending on the findings, these playbooks can have validation, confirmation, and multiple paths.
Download playbooks from the Phantom Community, or create your own using the Visual Playbook Editor. Playbook creation is my favorite part of SOAR, as it’s great for creativity and makes it far more straightforward than diving into code. There are two education courses for developing playbooks, but go-getters may also use the docs to learn how to create their apps.
Where to Get Started with Splunk Soar
First thing, you’ll need to register for an account. You’ll need that for on-prem installation or to download playbooks.
Next, choose how you wish to learn. If your company already has Splunk SOAR, you can use that. You can download the Splunk SOAR Community edition for free if you want to avoid developing in production (minor hint). The community edition can be found here. If you have rights, then production installs use https://my.phantom.us/downloads/ to download the official tarballs.
Note: SOAR is not the easiest product to install. Follow the docs and consider using VMware or Oracle VirtualBox.
We have looked at how Splunk SOAR (Phantom) complements and expands Enterprise Security environments. We investigated the benefits of SOAR, how it speeds remediation, how it reduces risk, and extends the capability for analysts. We also discussed playbooks and how Splunk SOAR users take advantage of those for reusability and fast coding.
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the link below: