Can I create a security operations workflows using the ES app? For example, if I want a ticket to be opened in the ticketing system etc. how do i do that in ES app.
Hi , I am not sure if you got what you looking for but . I will have to agree with jcoates_splunk on option 2. If you have someone that can help develop API's to communicate with your GRC or Ticketing solution that would be the way to go
Hi,
The notable event framework used in Splunk Apps for Enterprise Security or PCI Compliance is intended to provide basic tracking capabilities for security incidents, but it is not intended to replace more full featured systems for ticket management. There are several potential integrations between the two which are of interest.
1) At the simplest level, one might determine that a given correlation search produces notable events that are valuable for operations but do not demand the attention of a security analyst. These operationalized correlation searches can be modified to set an automatic status and ownership, then send an alert into the service desk or ticket system. Alerts may be forwarded in several ways, but for this use case simple email tends to suffice.
2) A more complex solution is to offer a security analyst the ability to send a given notable event into the ticket system or service desk. In this case, a Splunk workflow action is a good solution for executing a command or search. This workflow action will then send a basic set of information which is easily used to link back to the notable event in Splunk App for Enterprise Security or PCI Compliance. Email or REST APIs work equally well for this.
3) The most complex solution available is to bidirectionally link a notable event to a ticket or incident. In this case, a workflow action is used to initiate the relationship from Splunk to the ticket system; however, the other system must respond with an identifier which allows the ticket or incident to be found again. The resulting link can then be added to the notable event comments, either as a comment or as a custom field for rendering in a custom interface. Splunk can do this sort of work, but the implementations can be very site and product specific.
For Option 2 to get the Notable event details is there an API.
Using the Scripting alert I can get the SID but not the Notable event details like rule_id, event_id, event_hash, urgency, severity etc.
Looking for how to get the Notable event details using API and especially using sid got in the script alert.
If related events also can be got along with notable details it is perfect
OR
Tell my splunk to alert the mailbox along with a notable event and its belonging csv file and write some kind of script that will use the details in the email as soon as it arrives and open a ticket in the ticketing system
Thanks for the response on this.If I choose # 3 Lets say my correlation search to mark the default status of the notable event to "New" and the Default owner to "Unassigned" and under the alert actions use a script that will populate the details of the alert along by taking the csv file that belongs to a given notable events and populate my third part ticket management system to open a ticket and assign it to a security analyst. And once the ticket is been addressed in return tell splunk to mark the corresponding notable status to "Close" and reference to the ticketing system for more details