Get started with the Risk Notable Playbook Pack for Splunk SOAR (2024)

Table of Contents
Check prerequisites for the playbook pack Deploy the playbook pack Find playbooks in Splunk SOAR Workbooks in the pack Get started with the Risk Notable Playbook Pack for Splunk SOAR

Splunk® Security Content

How to Use Splunk Security Content

  1. Documentation
  2. Splunk® Security Content
  3. How to Use Splunk Security Content
  4. Get started with the Risk Notable Playbook Pack for Splunk SOAR

About Splunk Security Content

Use Splunk Security Content

Use the Splunk Machine Learning Toolkit (MLTK) with Splunk Security Content

Use Splunk SOAR playbooks and workbooks from the Risk Notable Playbook Pack

  • Get started with the Risk Notable Playbook Pack for Splunk SOAR
  • See descriptions of playbooks in the Risk Notable Playbook Pack
  • Understand the risk_notable_investigate playbook
  • Understand the risk_notable_mitigate playbook
  • Build playbooks compatible with the dispatch_input_playbooks utility
  • Use the tagging system with the playbook pack for Splunk SOAR

This collection of playbooks and workbooks guides analysts through investigations of risk notables within Splunk SOAR. Risk notables are aggregates of risk anomalies within Splunk Enterprise Security. See Analyze risk in Splunk Enterprise Security in the Use Splunk Enterprise Security manual. As an analyst, learn how to use the workbooks, understand the playbooks, and explore customizing the playbooks.

The playbook pack must be used with the latest release of Splunk Security Content.

Check prerequisites for the playbook pack

Before you use the playbook pack, verify that you have these dependencies:

  • Splunk SOAR (Cloud) or (On-premises)
  • Splunk Enterprise Security with assets and identities. See Manage assets and identities in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.
  • Splunk Enterprise Security with the risk analysis framework producing risk notables. See Analyze risk in Splunk Enterprise Security in the User Splunk Enterprise Security manual.
  • Notables you produce from Splunk Enterprise Security must include these fields:
    • risk_object
    • event_id
    • info_min_time
    • info_max_time
  • Use one of these apps from Splunkbase to bring Splunk Enterprise Security notable events into Splunk SOAR (Cloud) or (On-premises):
    • Splunk App for SOAR Export. Configure the multivalue field settings of Splunk App for SOAR Export to consolidate events into a single artifact. See About the Splunk App for SOAR Export and Configure how Splunk Phantom and Splunk SOAR handle multivalue fields in Splunk ES notable events in the Use the Splunk App for SOAR Export to Forward Events manual.
    • Splunk App for SOAR. Use this query in the on poll settings to find notable events in the correct fields:
`notable` | search eventtype=risk_notables | fields _time, event_hash, event_id, host, info_min_time, info_max_time, risk_object, risk_object_type, risk_score, rule_description, rule_id, rule_name, search_name, source, splunk_server, urgency
  • Splunk Enterprise Security with assets and identities (optional). See Manage assets and identities in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual. The splunk_enterprise_security_tag_assets_and_identities playbook relies on this framework, and the risk_notable_auto_containment playbook uses resulting tags.

Deploy the playbook pack

Verify these deployment steps are done before you use the playbook pack:

  • Because the playbook pack follows a five-point scale of severity based on Splunk Enterprise Security, a Splunk SOAR admin must add the severity levels "Critical" and "Informational" to the default severities of "High," "Medium," and "Low." See Create custom severity names in the Administer Splunk SOAR (Cloud) manual.
  • Because the playbook pack uses the risk_notable label based on event types with the same names within Splunk Enterprise Security, a Splunk SOAR admin must add the risk_notable label. See Create a label in the Administer Splunk SOAR (Cloud) manual.
  • Configure the base URL for Splunk SOAR.
  • (Recommended step.) Copy all playbooks to a repository other than community, like local. See Configure a source control repository for your Splunk SOAR (Cloud) playbooks in the Administer Splunk SOAR (Cloud) manual. Update the matching sub-playbook calls to reference the correct repository, as well as the references in workbooks.
  • If your Splunk asset on SOAR is not called splunk, change the asset name in the playbook to match the name of your Splunk asset.
  • Splunk Web is configured on a port other than 443, like 8000, then includes the specified port directly after the hostname in these items:
    • The block "format es url" in the risk_notable_preprocess playbook
    • The block "format summary note" in the risk_notable_import_data playbook

Find playbooks in Splunk SOAR

To locate the playbooks from the playbook pack in Splunk SOAR (Cloud) or (On-premises), follow these steps:

  1. From the Splunk SOAR (Cloud) or (On-premises) menu, select Playbooks.
  2. Select Update from Source Control > community > Update.
  3. Filter the Category column to Risk Notable to see all core playbooks.
  4. Filter the Tags column to risk_notable to see all utility playbooks.
  5. (Recommended step.) Copy the playbooks to the local repository so you can customize them.

Workbooks in the pack

Workbooks are guided analyst workflows with phases and tasks that can recommend actions and playbooks. This pack includes three workbooks.

WorkbookDescriptionPhaseTasksWorkbook playbooksSuggested playbooks
Risk InvestigationGuide the analyst from taking ownership of an investigation through rendering a verdict and selecting a response plan.Initial TriagePreprocess
Investigate
Render Verdict		risk_notable_investigaterisk_notable_preprocess

risk_notable_import_data
start_investigation
risk_notable_enrich
risk_notable_merge_events
risk_notable_verdict

Risk ResponseFollow tasks to review suspect indicators, then select assets and users that need protection.MitigateBlock Indicators
Protect Assets and Users		risk_notable_mitigaterisk_notable_review_indicators

risk_notable_block_indicators
risk_notable_protect_assets_and_users

Risk RecoveryRespond to confirmed incidences by documenting clean-up steps and closing out investigations.Restore operationsEradicate threats
Undo containments
Close investigations
N/Arisk_notable_auto_undo_containment

reset_entity_risk
splunk_enterprise_security_close_investigation

Last modified on 25 September, 2023

Configure Splunk Enterprise Security to use the Machine Learning ToolkitSee descriptions of playbooks in the Risk Notable Playbook Pack

This documentation applies to the following versions of Splunk® Security Content: 3.43.0, 3.44.0, 3.45.0, 3.46.0, 3.47.0, 3.48.0, 3.49.0, 3.50.0, 3.51.0, 3.52.0, 3.53.0, 3.54.0, 3.55.0, 3.56.0, 3.57.0, 3.58.0, 3.59.0, 3.60.0, 3.61.0, 3.62.0, 3.63.0, 3.64.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.1, 4.12.0, 4.13.0, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 4.23.0, 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, 4.29.0, 4.30.0, 4.31.0, 4.31.1, 4.32.0, 4.33.0, 4.34.0, 4.35.0

Download manual

Download this page

Back To Top

Get started with the Risk Notable Playbook Pack for Splunk SOAR

  • Check prerequisites for the playbook pack
  • Deploy the playbook pack
  • Find playbooks in Splunk SOAR
  • Workbooks in the pack

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

Get started with the Risk Notable Playbook Pack for Splunk SOAR (14)

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here »

Closing this box indicates that you accept our Cookie Policy.

Get started with the Risk Notable Playbook Pack for Splunk SOAR (2024)
Top Articles
Smooth and Creamy Polenta Recipe
Gluten Free Dinner Rolls Recipe | Soft, Squishy Yeast Rolls
Sheriff Notes June 27 2024
Current Openings - Human Resources Department
Tyreek Hill: Week 7 Best Plays from 11-Catch Game vs. Eagles
Tyreek Hill: Week 13 Best Plays During 153-Yard Game
2020 - UPDATED: May 2024
Southern Caribbean from Baltimore, Royal Caribbean, 29th March 2025 – Planet Cruise
Scan Your QUICKTICKET Ticket | Lottery App | OLG
Lotto (Norge) Lotteriresultater og vinnertall
Krogerhrexpress
Farm : Clés du Lion Noir
Latest Posts
The Best Gluten-Free Recipes - My Natural Family
Beer Braised Brats with Onions (Recipe + Video) | Craft Beering
Article information

Author: Margart Wisoky

Last Updated:

Views: 6169

Rating: 4.8 / 5 (78 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Margart Wisoky

Birthday: 1993-05-13

Address: 2113 Abernathy Knoll, New Tamerafurt, CT 66893-2169

Phone: +25815234346805

Job: Central Developer

Hobby: Machining, Pottery, Rafting, Cosplaying, Jogging, Taekwondo, Scouting

Introduction: My name is Margart Wisoky, I am a gorgeous, shiny, successful, beautiful, adventurous, excited, pleasant person who loves writing and wants to share my knowledge and understanding with you.