Splunk Enterprise Security

Creating workflows using ES App

coolwater77
Explorer

Can I create a security operations workflows using the ES app? For example, if I want a ticket to be opened in the ticketing system etc. how do i do that in ES app.

sriniraju
New Member

Hi , I am not sure if you got what you looking for but . I will have to agree with jcoates_splunk on option 2. If you have someone that can help develop API's to communicate with your GRC or Ticketing solution that would be the way to go

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

The notable event framework used in Splunk Apps for Enterprise Security or PCI Compliance is intended to provide basic tracking capabilities for security incidents, but it is not intended to replace more full featured systems for ticket management. There are several potential integrations between the two which are of interest.

1) At the simplest level, one might determine that a given correlation search produces notable events that are valuable for operations but do not demand the attention of a security analyst. These operationalized correlation searches can be modified to set an automatic status and ownership, then send an alert into the service desk or ticket system. Alerts may be forwarded in several ways, but for this use case simple email tends to suffice.

2) A more complex solution is to offer a security analyst the ability to send a given notable event into the ticket system or service desk. In this case, a Splunk workflow action is a good solution for executing a command or search. This workflow action will then send a basic set of information which is easily used to link back to the notable event in Splunk App for Enterprise Security or PCI Compliance. Email or REST APIs work equally well for this.

3) The most complex solution available is to bidirectionally link a notable event to a ticket or incident. In this case, a workflow action is used to initiate the relationship from Splunk to the ticket system; however, the other system must respond with an identifier which allows the ticket or incident to be found again. The resulting link can then be added to the notable event comments, either as a comment or as a custom field for rendering in a custom interface. Splunk can do this sort of work, but the implementations can be very site and product specific.

badadata1
Explorer

For Option 2 to get the Notable event details is there an API.
Using the Scripting alert I can get the SID but not the Notable event details like rule_id, event_id, event_hash, urgency, severity etc.

Looking for how to get the Notable event details using API and especially using sid got in the script alert.
If related events also can be got along with notable details it is perfect

0 Karma

sriniraju
New Member

OR

Tell my splunk to alert the mailbox along with a notable event and its belonging csv file and write some kind of script that will use the details in the email as soon as it arrives and open a ticket in the ticketing system

0 Karma

sriniraju
New Member

Thanks for the response on this.If I choose # 3 Lets say my correlation search to mark the default status of the notable event to "New" and the Default owner to "Unassigned" and under the alert actions use a script that will populate the details of the alert along by taking the csv file that belongs to a given notable events and populate my third part ticket management system to open a ticket and assign it to a security analyst. And once the ticket is been addressed in return tell splunk to mark the corresponding notable status to "Close" and reference to the ticketing system for more details

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...