Skip to main content

Cyware Threat Intelligence eXchange

Splunk SOAR

Connector Category: Security Orchestration Automation Response

Note

This integration is available in Intel Exchange from v3.7.4.1 onwards

About Integration

Splunk SOAR platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools to help you orchestrate security workflows, automate repetitive security tasks, and quickly respond to threats.

Using this integration, security analysts can trigger playbooks in the Splunk SOAR application from theIntel Exchange application. This integration enables your security operations teams to trigger playbooks defined on the Splunk SOAR that can create multi-step workflows for incident management of your resources.

The Splunk SOAR internal application in Intel Exchange supports the following action:

  • Trigger Playbook V3

Configure Splunk SOAR in Intel Exchange

Splunk SOAR is available as an out-of-the-box integration in the Intel Exchange application. To configure it as an internal application, do the following:

  1. Configure Splunk SOAR App in Intel Exchange 

  2. Enable Trigger Playbook action for this integration 

  3. Create a Rule in Intel Exchange to Trigger the Playbooks 

Configure Splunk SOAR App in Intel Exchange

Before you Start 

You must have the base URL and Access ID of your Splunk SOAR account to configure the app in Intel Exchange. The user configuring the integration should have the View & Update Tool Integration permission.

Steps 

Use the following steps to configure the app in the Intel Exchange application:

  1. Sign in to the Intel Exchange application.

  2. From Administration, open Integration Management and select Internal Applications under Tool Integrations.

  3. Select Security Orchestration Automation Response.

  4. Search Splunk SOAR and click on the app.

  5. Click Add Instance.

  6. Enter the Instance name, Base URL, and Access ID.

  7. To encrypt the connection between CTIX and Splunk SOAR, select Verify SSL.

  8. Click Save.

Enable Trigger Playbooks

After configuring the Splunk SOAR application on Intel Exchange, enable the action to trigger playbooks.

  1. From Administration, open Integration Management and select Internal Applications under Tool Integrations.

  2. Select Security Orchestration Automation Response.

  3. Select Splunk SOAR.

  4. Click the ellipsis on the top right corner and click Manage.

  5. Click Manage Action(s) and select an action.

  6. Enable the toggle to trigger the playbooks.

  7. Click Save.

Create a Rule in Intel Exchange to Trigger the Playbooks

Create a rule in the Intel Exchange application to trigger the playbooks in Splunk SOAR.

  1. From the Main Menu, select Rules under Actions.

  2. Click New Rule.

  3. Enter a rule name and a description.

  4. To easily identify and categorize components in the Intel Exchange application, select Tags.

  5. Click Submit.

  6. Set the following optional Basic Details for a rule:

    • Allow all Conditions: Applies all available conditions on the selected threat data object. When selected, the system notifies that the previously selected conditions will be removed, and the Conditions under Components on the left side of the screen are removed.

    • Run Rule after Enrichment: Runs the rule only after data enrichment and confidence score evaluation are completed.

    • Triggers on Manual Update: Triggers the rule to run for any manual update made to the existing threat data object by an analyst. It will not execute the rule for any new threat data objects coming into the application. This option removes the previously selected sources and collections and prompts you to confirm to allow all sources and collections for the trigger to update the threat data object.

    • Exclude False Positive: Excludes the identified false positives to filter the data. By default, this option is selected, and no false positives are included. This option ignores any conditions configured in the rule to remove false-positive threat data objects.

    • Exclude Indicators Allowed: Excludes the identified allowed indicators to filter the data. By default, this option is selected, and no allowed indicators are included. This option ignores any conditions configured in the rule to remove the allowed threat data objects.

  7. Select the sources and collections, and conditions for the rule.

  8. In Actions, configure the following

    1. Actions: Trigger Playbook V3

    2. Application: Splunk SOAR

    3. Account: Splunk SOAR account.

    4. TLP Version: Select the appropriate TLP version.

    5. Events: Select the events to identify the playbooks from Splunk SOAR to trigger.

    6. Playbook Name (Optional): Provide the playbook name along with the source path, for example: <source>/<playbook_name>.

  9. Click Save.

When you run the rule, indicators will be retrieved based on the configured sources and conditions. The retrieved indicators will be submitted to the Splunk SOAR platform for actioning.