Check Out BlueVoyant's ROC-Solid Advantage in the Latest eBook

Learn More
Seach

Guide: Splunk SIEM

What is Splunk Phantom, Renamed to Splunk SOAR?

Splunk Phantom, renamed to Splunk SOAR, is a security orchestration, automation, and response (SOAR) solution. Security automation involves machine-based execution of security actions to detect, investigate and remediate threats programmatically.

Splunk SOAR provides security infrastructure orchestration, case management, playbook automation, and integrated threat intelligence. The solution can ingest security events from various sources, letting you track, analyze, and triage events, and use playbooks to automate responses from one interface.

This is part of our series of articles about Splunk SIEM.

Differences Between Splunk SOAR and Splunk Phantom

Splunk Phantom was renamed to SOAR and is now delivered as a cloud-based service. While Splunk SOAR is similar to Phantom, there are differences in both architecture and functionality. For those familiar with the original Phantom solution, here are the key differences:

 

Splunk Phantom Splunk SOAR
Applications and Connectors Used a plugin architecture that allowed you to develop custom connectors. Comes with over 100 built-in apps / connectors for security and IT systems.
Storage Relies on on-premises equipment and requires dedicated storage. Provides 600 GB of disk space and another 600 GB storage for its PostgreSQL database.
CLI Enables CLI access. No CLI access—you can access self-service capabilities via the graphic UI, or submit a support ticket for infrastructure issues.
REST API Provides REST API endpoints for all key functionality. Supports a subset of Phantom REST APIs, as detailed in the documentation.
Mobile Support Supports the legacy Splunk Connected Experience mobile apps. Supports mobile devices via the new Splunk Mobile App.
Python Scripting for Playbooks Supports Python 2 scripting. Supports Python 3.6.13 and upwards.
SAML2 Authentication Does not support SAML2 for authentication. Supports SAML2.

Splunk SOAR Architecture

Splunk SOAR works by first connecting to third-party sources using connectors called apps. Admins can configure apps and owners can manage them. 

The solution ingests security events into containers. Events may contain IP addresses, email headers, and file hashes stored as artifacts inside containers. You can promote containers to a case consolidating multiple containers, and workbooks can help you define how to manage containers and cases. You can also use playbooks to automate actions.

The image below shows how security automation works in Splunk SOAR.

how security automation works in Splunk SOAR

Image Source: Splunk

Splunk SOAR tightly integrates with Splunk Enterprise Security. Learn more in our detailed guide.

Splunk SOAR Features and Capabilities

Apps

In Splunk SOAR, an app establishes connectivity with third-party security products and services. It enables Splunk SOAR to access and run third part actions. Certain apps also provide a visual component like a widget that can help render app data.

Here are three key Splunk SOAR apps:

  • MaxMind—lets you use an action to locate an IP address’s geographical location.
  • PhishTank—lets you use an action to find a URL’s reputation.
  • Palo Alto Networks (PAN) Firewall—lets you use several actions, including blocking and unblocking access to applications, URLs, and IP addresses.

App Editor

Splunk SOAR provides the App Editor interface to help you quickly and easily create, test, and edit apps. You can use the App Editor to view and add code, see log results, test actions, and troubleshoot. 

Asset

In Splunk SOAR, an asset is an app instance representing a virtual or physical device, such as a router, firewall, endpoint, or server. Splunk SOAR lets you set up an asset and specify connection details for this firewall. If the environment includes multiple firewalls, you can set up one asset per firewall.

Container

A Splunk SOAR container is a security event ingested from a third-party source. All containers are assigned labels, which enable Splunk to group related containers. The default label of containers is Events.

Case

A case in Splunk SOAR is a container that holds several containers. A case can help you consolidate multiple events into one incident that you can investigate as a whole. For example, after locating several related containers, you can promote one container to a case and add all other related containers.

Playbooks

Splunk SOAR employs playbooks to automate IT and security actions at machine speed. Here are key benefits of Splunk SOAR playbooks:

  • Automated action — playbooks can execute a sequence of actions across several tools in seconds, whereas manually performing these actions can take hours or more. 
  • Pre-made playbooks — Splunk SOAR includes 100 pre-made playbooks that you can use to start automating your security tasks quickly. 

A visual playbook editor — enables you to easily create, edit, implement, and scale playbooks to help you eliminate the grunt work usually plaguing security analysts.

Splunk SOAR

Image Source: Splunk

The diagram above illustrates the following playbooks:

  • Playbook 1 — configured to run actions from the MaxMind and PAN Firewall version 2.7 assets every time a new container is created within Splunk SOAR.
  • Playbook 2 — configured to run actions from the PhishTank and PAN Firewall version 3.0 assets every time a specific workbook is used in a case.

Visual Playbook Editor + Input Playbooks

Splunk SOAR provides a visual playbook editor that lets you easily create, edit, implement, and scale automated playbooks. It aims to eliminate security analysis grunt work and enable incident response at machine speed. 

For example, you can use the editor to build an input playbook that automates simple security and IT tasks. You can use it as part of larger playbooks when establishing a modular automation approach. 

Case Management

Splunk SOAR provides workbooks for case management. A workbook enables you to codify a standard operating procedure into a reusable template. You can use it to divide tasks into phases, document your work, and assign tasks to collaborators. It also lets you use custom workbooks alongside industry-standard workbooks like the NIST-800 template for incident response. 

Event Management

Splunk SOAR consolidates events ingested from multiple sources into one location. This level of consolidation enables analysts to filter and sort all events to identify high-fidelity events and prioritize action quickly. 

Custom Functions

Splunk SOAR lets you use custom functions to share custom code across playbooks while introducing complex data objects into the execution path. These out-of-the-box custom blocks can help save time and effort, allowing you to scale your automation without coding it.

Whitepaper

How to Build a Sustainable Cloud Security Strategy That Is Faster, Simpler, and More Dynamic