Publish Your Splunk SOAR Apps Faster

The process for our technology partners to publish their SOAR Apps to Splunkbase just got faster and simpler. App updates are now automatically pulled from our partners’ GitHub repositories into the Splunkbase library in a matter of minutes. With 350+ SOAR Apps on Splunkbase across 200+ partners, this process improvement makes Splunk easier to integrate with and more importantly, provides our customers with even faster access to up-to-date Apps.

This is critical since security orchestration and automation is all about enabling integrations with key technologies, like putting a complex puzzle together. The puzzle pieces are integrations (“Apps”) that our SOAR customers use to build playbooks that automate their response workflows. A playbook allows Splunk SOAR to perform actions on an organization’s various third-party tools and utilities and all of these actions need to be supported by our technology partners. Apps power these actions, and when combined, create playbooks such as “endpoint alert enrichment” on the more common side and “custom hunting playbooks” on the more advanced user side.

See it in Action

We have been working with multiple technology partners to ensure the enhanced process, well…works! It will be highlighted in a .conf22 in session titled "SEC1104C: Jump to Hyperspace-Publish Apps at Lightspeed with Open SOARce." As a preview to this session, our technology partner DomainTools put together a short video which shows them making an update to one of their Apps and publishing it for customers on Splunkbase within minutes. Check it out in the following video.

From GitHub to Splunkbase in Minutes

As you saw in the video, we tested the process against an update to their Iris Investigate App. This App is designed to automate, “...investigative actions to profile domain names, get risk scores, and find connected domains that share the same Whois details, web hosting profiles, SSL certificates, and more.” When the DomainTools App developers needed to update the Iris Investigate App on GitHub, they simply accepted a pull request and in about 5 minutes, it was reflected on Splunkbase. For Splunk SOAR users who utilize Iris Investigate in their workflows, the updated App is immediately available.

In the spirit of “SOAR,” we have automated the process whereby App updates are made available in Splunkbase. The speed with which Splunk SOAR users can pull in these App updates from GitHub to Splunkbase is absolutely critical. We aim to push these updates into the hands of our end users with as little manual intervention as possible. And having automated integrations between GitHub and Splunkbase is the essential connection that, before now, was missing.

Getting Started

Moving forward, we will continue to make this process available to our SOAR technology partners so that we can see more successful case studies like the one shared above.

There are a few ways to get started:

• If you’re a Splunk technology partner and want to get started with enabling this App publishing process, please check out this page for more information (login required).
• Not signed up as a partner yet? Sign up today!
• The above case study with DomainTools is being highlighted in the .conf22 in session, "SEC1104C: Jump to Hyperspace-Publish Apps at Lightspeed with Open SOARce." If you’re attending .conf22, please be sure to add this session to your agenda.
• Try out the DomainTools Iris Investigate app for Splunk SOAR.

This article was co-authored by Dane Disimino, Sr. Product Marketing Manager for SOAR with Splunk.