Splunk SOAR Prompt-Driven Automation: Reduce MTTR with Collaborative SecOps

It’s Friday at 3:59pm. A potential phishing attempt is detected by your SIEM and it triggers a SOAR playbook to automatically analyze the email. This analysis returns malicious indicators such as malicious URLs and command-and-control IP addresses, which need to be blocked across the network security infrastructure managed by the network security team. In order to move forward with the investigation, you need approval from the network security team. You send a Slack message. 5 minutes pass by and no answer. Maybe email is better? Send. No reply 30 minutes later. Maybe you should issue a ticket? You check your phone to see if you have the cell phone number of one of the team members.

This isn’t working. This out-of-band communication can add potentially hours, if not days, to an investigation and response workflow, and it’s not scalable.

Let’s try this again.

It’s Friday at 3:59pm. A potential phishing attempt is detected by your SIEM, Splunk Enterprise Security, and it triggers a Splunk SOAR playbook to automatically analyze the email. This analysis returns malicious indicators such as malicious URLs and command-and-control IP addresses, which need to be blocked across the network security infrastructure managed by the network security team. Now, prompt-driven automation in Splunk SOAR sends an approval request directly to the network security team delivered via any Splunk SOAR-supported ITOps, ChatOps, or Ticketing application. The prompt asks simple, straightforward questions. The network security team quickly sees the request inline with their normal workflows, answers the questions, approves it, and then the Splunk SOAR playbook automates the blocking of malicious URLs/IPs across network security technologies such as firewalls or secure web gateways. The same prompt can also be sent to the end-user to verify if they entered their corporate credentials on the phishing website, which can further automate the reset of their username and password. And this was all done in minutes, not hours or days.

Much better. Fast, efficient, and inline with normal workflows across the security team, network security team, and any team external from the SOC (IT, HR, Legal, end-users). Contacting these teams is often crucial to ensure that security investigations progress quickly and effectively, increase SOC responsiveness, and resolve more incidents faster. Streamlining these interactions is essential for a more agile and inclusive security strategy.

This is prompt-driven automation, a new feature included in the recently released Splunk SOAR version 6.3. Let’s see a demo.

Prompt-driven automation lets you send real-time, secure prompts to teams outside the SOC to streamline response workflows and resolve security incidents faster.

- Get effective communication with teams like IT, Network Security, HR, Legal, and end-users to make informed security decisions. - Streamline interactions across teams for a more agile and inclusive security strategy - Deliver real-time secure prompts through any ITOps, ChatOps or Ticketing applications to any team across your hybrid workforce - Take immediate response actions based on response for data loss prevention & phishing workflows

Get started with prompt-driven automation today with the latest version of Splunk SOAR. Check out our Tech Talk, watch the webinar, or dive into release notes.