Getting Started with Automation Before You’re Ready to SOAR

The benefits of automating aspects of your security tasks include the ability to remove human error, reduce redundant or recurring tasks, and shorten the time to taking action when responding to a potential security incident. 

That’s where SOAR (Security Orchestration, Automation, and Response) comes in. Products such as Splunk SOAR will help empower your team to make quick decisions, reduce your team’s alert fatigue, and have them focused on legitimate threats and incidents that may have business impact to your organization. 

But what if you don’t have SOAR? 

Maybe your organization isn’t yet at the level of maturity to start using a full blown SOAR platform, or maybe it’s not coming until later this year. While SOAR platforms make pulling it all together a bit easier, you may have options within your existing toolset to automate some of your everyday tasks.

Automation within Splunk

Splunk has the ability to do more than just ingest your logs! Splunk can be used to enrich the data it ingests, sub search based on data found, and pull together analytic stories to ask and answer some of the most common questions your team may have during investigations. 

For example:

GreyNoise

This is one of our favorite tools! We use GreyNoise to enrich alerts and let us know if the IP address in question is a known benign scanner or if it’s actively malicious, which helps us remove false positives from alerting.

Check out our blog on how to use it for alert tuning here. 

Asset and Identity Lists

These lists can be used to populate information about your environment such as hosts, groups, users, and so on. This information can then be used to correlate investigation information to enrich the information being provided to the analyst. This information is also chronically undervalued and often incomplete; good asset/identity management is far more critical than many realize.

In our podcast “Designing a SOC: Internal or External? Part 1,” one of the points we talk about is the importance of knowing the details of your assets, using the SolarWinds breach as an example of what can happen. Check it out!

Analytic Stories

These are sets of searches that you pre-can to aid an analyst through an investigation. Doing this helps create a uniform investigation process, reduces the need to find what the last analyst did, and saves time by helping answer the questions that matter when performing an investigation.

Threat Intelligence and IoC Alerting

To add additional context and be alerted to early indicators, you should look to automate the ingestion and alerting around threat intelligence and IoCs in your network. Threat feeds can be ingested directly into Splunk and used in conjunction with a correlation search, allowing you to be alerted to indicators of compromise within your network.

Detecting Host Issues

Being alerted to host issues is critical for any business. You can automate the detection of host issues by creating an alert to notify you when a device has stopped sending logs to Splunk. This will help detect potential issues so you can address them more promptly. 

Note: Don’t downplay the value of a good Splunk search or alert. You can identify conditions in your environment that require action just by writing a search, scheduling it to trigger when events are returned, and using alert actions to trigger a response when the event happens. 

Automation in your ticketing system

Look for what you can automate in your ticketing system. SNOW, for example, has the ability to enrich tickets–assuming SNOW is configured correctly. This can help you automate.

Note: some integrations are better than others; while you probably could integrate almost any ticketing system with email, you will get better results if your integration can customize fields in the payload so that details like the subject, assigned group, and any relevant tags needed are set appropriately. 

Splunk Technology Add-on automation

Splunk Technology Add-ons (TAs) are apps that provide specific capabilities to other apps, allowing them to perform tasks such as ingesting or mapping data, or providing saved searches and macros.

We always recommend first checking Splunkbase to see if a Splunk TA already exists for the device you’ll be sending logs from. Using a Splunk TA can save you time and headache when it comes to configuring data ingestion as well as CIM compliance.

One example is the CheckPoint Firewall Block app (available on Splunkbase), which was developed by Hurricane Labs. This app allows you to block an IP address in your Check Point firewall via an alert action in Splunk Enterprise Security. 

Conclusion

While SOAR platforms do open up a realm of possibilities, your organization may not be ready for that level of automation just yet. Using the tools that are already existing within your environment and automating some of the redundant and mundane tasks will help save time and effort within your daily tasks. 

If you’re interested in some of the automation ideas outlined here or if you’ve already automated all you can and are ready for SOAR, let us know! Hurricane Labs offers Splunk SOAR (formerly Phantom) support for deployment, maintenance, and playbook development. 

Ready to talk? We’re here to help!