Unify and Automate TDIR Workflows with Splunk SOAR 6.3 and Splunk Enterprise Security 8.0

Security teams are juggling 25+ different security tools that perform different actions across detection, investigation and response. Look up an IP here, send malware to a sandbox there, block an executable over there.

What’s worse is that the vast majority of those actions are being performed manually. This approach is simply too slow against fast-moving attackers and malware, and it certainly isn’t sustainable.

With the release of Splunk SOAR version 6.3 and Splunk Enterprise Security version 8.0, Splunk SOAR capabilities are now natively integrated within Splunk Enterprise Security¹. This revolutionizes the consumption model for automation within a SOC and across detection, investigation and response workflows, and brings automation to all tiers of security analysts. Analysts can seamlessly manage and automate workflows across their entire security and IT stack — with visibility and control centralized within their SIEM.

So how does this integration look and feel, and how does it manifest within the Splunk SOAR user interface?

Watch this demo video to see how we can easily build a Splunk SOAR playbook that utilizes native integration with Splunk Enterprise Security.

Now let’s break down the features and capabilities that made that possible.

It starts with the Splunk Enterprise Security connector in Splunk SOAR. This allows you to automate any process or task from the Splunk Enterprise Security user interface. It includes more than 35 API calls, and the ability to automatically triage findings from the Analyst Queue in Splunk Enterprise Security.

Splunk SOAR 6.3 also delivers the Automation Rules Framework. This ensures that playbooks are appropriately dispatched when new detections and findings appear in Splunk Enterprise Security. Within the Splunk SOAR user interface, it’s easy to select amongst potentially hundreds of detections and assign them to a few playbooks. You can also assign a specific detection to launch a specific playbook. The analyst has better visibility and control over what playbooks are being triggered automatically, and it supports both generic and hyper-specific automation use cases.

We’ve also made sign-on a breeze. The self-pairing feature provides a single sign-on across Splunk Enterprise Security and Splunk SOAR. It also allows the admin to selectively grant SOAR functionality with new role mapping to users.

From the perspective of your Splunk Enterprise Security user interface, the “Run Playbook” button is directly integrated into the Analyst Queue where an analyst can simply select findings and run automation on them with a single click of a button without ever navigating away from the Splunk Enterprise Security user interface. Going further, the analyst can see an open investigation with built-in Response Plans that provide prescriptive guidance and suggestions on what playbooks can be run as part of an investigation. This allows the analysts to orchestrate playbooks from within an investigation in just a few clicks.

What do all of these features look like from the perspective of your Splunk Enterprise Security user interface? Check out this demo.

This native SIEM and SOAR integration marks a new evolution in how SOC analysts can seamlessly use their SIEM and SOAR together to automatically detect, investigate, and respond to security incidents. To learn more, check out our Tech Talk, watch the webinar, or dive into release notes.

¹Both a Splunk SOAR and Splunk Enterprise subscription are required to utilize orchestration and automation capabilities within Splunk Enterprise Security. Splunk SOAR is not included for free as part of your Splunk Enterprise Security subscription.