Security: SOAR - Wed 10/9/24

Community Office Hours
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Security: SOAR - Wed 10/9/24

Security: SOAR - Wed 10/9/24

1 Comment
Cover Images - Office Hours (11).png
Published on ‎06-27-2024 05:55 PM by Splunk Employee | Updated on ‎10-10-2024 04:19 PM

Register HereThis thread is for the Community Office Hours session on Security: SOAR on Wed, Oct 9, 2024 at 1pm PT / 4pm ET. 

 

This is your opportunity to ask questions related to your specific Splunk SOAR needs and use cases, including:

  • New features from our recent 6.3 release
  • SOAR 6.3 and Enterprise Security 8.0 integrations and the unified TDIR workflow
  • Using SOAR and Attack Analyzer together
  • Best practices for developing playbooks, workbooks and process workflows
  • SOAR Apps recommendations
  • Automatic incident response, Automating threat hunting, penetration testing, etc.
  • Success measurement
  • Anything else you'd like to learn!

 

Please submit your questions at registration. You can also head to the #office-hours user Slack channel to ask questions (request access here). 

 

Pre-submitted questions will be prioritized. After that, we will open the floor up to live Q&A with meeting participants.

 

Look forward to connecting!

 


Labels (1)
0 Karma
loriexi
Splunk Employee
Splunk Employee
‎10-10-2024 04:23 PM
‎10-10-2024 04:23 PM

Q1: Can we get a demo for ES and SOAR before the actual subscription?

Please refer to the live demo in the recording

 

Q2: Will SOAR 6.3 support any other than CentOS and Amazon free Linuxes? Such as Rocky Linux or Oracle Linux?

CentOS no longer supported.

Oracle Linux now officially supported.

 

Q3: How can I send the event_id field from Splunk ES to Splunk SOAR after running Adaptive Response Actions (Notable, Risk Analysis, Send to SOAR) in a Correlation Search with the mode to Manual or Guided Search SPL. ?

  • Adaptive Response is not sequential
  • The dispatch to soar doesn't have the event id because it's generated after dispatch 
  • You can eval the event id manually and send to soar
  • Check out the notable macro for a way to do that using SPL

 

Live Questions: (refer to the recording)

  • When we use prompts and assign it to a group of analysts, is there a way to see which analyst responded to the prompt? I tried debug statements to see what comes back and I can't find anywhere where the name is saved.
  • Is there much in the pipeline/roadmap or already in ES 8.0 that brings more functionality to workbooks? 
  • When do the external prompts come? Is that with ES 8.0?
    • External prompts are GA in SOAR Cloud and GA in SOAR on-prem today (10/10/24)
0 Karma