Security: SOAR - 11/29/23

Community Office Hours
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Security: SOAR - 11/29/23

Security: SOAR - 11/29/23

2 Comments
Community Office Hour Cover Images copy 3.png
Published on ‎10-03-2023 05:34 PM by Splunk Employee | Updated on ‎12-11-2023 02:57 PM

Register here. This thread is for the Community Office Hours session on Security: SOAR on Wed, Nov 29, 2023 at 1pm PT / 4pm ET. 

 

This is your opportunity to ask questions related to your specific Splunk Security orchestration, automation, and response (SOAR) challenge or use case. Including:

  • What's new in SOAR 6.2 (Logic Loops, CyberArk integration, etc.)
  • Attack Analyzer 
  • Developing Playbooks, Workbooks and process workflows
  • Integrating security, IT operations and threat intelligence tools
  • Automatic incident response
  • Automating threat hunting, penetration testing, etc.
  • Applying configuration changes, app installation, and maintenance
  • Success measurement
  • Anything else you'd like to learn!

 

Please submit your questions at registration or as comments below. You can also head to the #office-hours user Slack channel to ask questions (request access here)

 

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

 

Look forward to connecting!


Labels (1)
adepp
Splunk Employee
Splunk Employee
‎11-27-2023 12:50 PM
‎11-27-2023 12:50 PM

Hi Everyone!

Please be sure to submit your questions at registration or post a comment here for any topics you'd like to see discussed in the Community Office Hours session. You can also head to the #office-hours user Slack channel to ask questions and join the discussion (request access here).

0 Karma
adepp
Splunk Employee
Splunk Employee
‎12-11-2023 02:56 PM
‎12-11-2023 02:56 PM

Here are a few questions from the session (get the full Q&A deck and live recording in the #office-hours Slack channel):

 

Q1: What is the best way to format query results from Splunk to dynamically make a new line for each result? For example, 120 results

  • This can be solved a variety of ways based on how the information will be used downstream.
    • If the information needs to be split up and handled individually, use a custom function block like list_demux. 
    • If the information is just needed for a format block, use the %% {} %% format option to iterate through the results. 

Q2: A user adds a comment / note about their findings, how can I have it outputted to Jira Add Comment or as a variable? 

  • For comments, there is a utility called “comment_list” that retrieves all of the comments for a single container. The output of that utility can then be routed to JIRA.
  • For notes, there is no equivalent utility for “note_list”. Instead, you’ll need to leverage the phantom.get_notes() call in a utility block or custom code block. The documentation is listed here: https://docs.splunk.com/Documentation/SOAR/current/PlaybookAPI/ContainerAPI#get_notes

Q3: Can you think of any valid reasons why an organisation wouldn't want to have SOAR capabilities?

  • All organizations need automation and security automation is critical to responding to threats fast and effectively. 
  • The only reason I can think of why an organization wouldn’t want a SOAR-type product is if they have a dedicated security tools development team with a programming background, who is willing to maintain the tools infrastructure and constantly update the application integrations.

Other Questions (check the #office-hours Slack channel for responses):

  • Would like you to cover update indicator action in crowdstrike app in Splunk SOAR (live demo!)
  • Does SOAR version 6.1.1 resolve the issue with random container's data not being exported back into Splunk?
  • A user adds a comment / note about their findings, how can I have it outputted to Jira Add Comment or as a variable?
  • Where can I find the dispatch_input_playbooks utility that is supposed to be in the Playbook block?
  • Why is it not possible to execute playbooks from input playbooks?
  • Is it possible to schedule playbook runs (not around containers)?
  • I've seen duplicate imports of notables/events from Splunk when running a polling query. Is there a mechanism built to avoid duplicate imports, and how does it work?
  • Is there a way to see how long it took a user to complete a task and output that time?
  • Is it possible to set default values for fields in prompts?
  • Do containers have a set time-to-live or do they persist on the system indefinitely?
  • How to automate managing custom list size?
0 Karma