On your marks, get set GO!
Take a more in-depth look at the automation and orchestration journey and the future of SOAR.
Watch the SOCtails video here: https://www.youtube.com/watch?v=YzsGQzqaDYw&t=2s
6. CUSTOMER DELIVERY
Other Data Lakes
CLOUDON-PREM HYBRID WITH BROKERS
Platform for Machine DataPLATFORM
APPLICATIONS Future Splunk Solutions 3rd Party Plug-ins
SOLUTIONS
Mission Control
Cloud-Based Unified Security Operations
+
Security Operations Suite Architecture
7. I N G E S TD E T E C T
P R E D I C T A U T O M AT E
O R C H E S T R AT ER E C O M M E N D
C O L L A B O R AT E I N V E S T I G AT E
M A N A G E C A S E S
R E P O R T
Artificial
Intelligence
Content
Machine
Learning
Placeholders
Mark what the talk focuses on
13. Playbook Methodology
Compact playbooks that quickly
perform common independent
functions.
Introducing utility playbooks:
• Ingest alert
• Collect evidence
• Create ticket
• Notify IR team
• Investigate evidence
• Scope event
• Contain asset
INTERACTION
ACTION ARTIFACTS
INPUT
Source(s) Events, Process,
Information Expected
The expected output of actions
performed by the process or
function
The transformation(s), duties,
actions to be performed by a
person, tool, analysis or
correlation to a function
Owner, Actioner, Supporter,
Consulted, Involved/Informed
between teams, technology or
events
17. The Norlys
journey.
Automating 3 common use-cases at
SOARing heights.
https://www.slideshare.net/Splunk/splunklive-stockholm-2019-customer-presentation-norlys
18. Their Story ▶ Situation:
▶ Had to build log analytics and incident
response capabilities from the ground up for a
relatively big company in Denmark.
▶ Struggling with:
▶ Repetitive tasks, myriad of tools, slow webUIs,
creating and maintaining internal processes
▶ Wanted:
▶ A central screen for investigations with in-depth
documentation and automation capabilities.
▶ Enter Phantom:
▶ With Phantom we are now able to automate the
boring tasks and document every step, it
doesn’t matter if it’s automated or manual
19. Their 5 Step
Journey with
Splunk
Phantom
1. Using Phantom for documentation and adding everything
manually
2. Using applications in Phantom for semi-automated
investigation processes
3. Chaining applications/actions together for creating
playbooks
4. Customizing the playbooks with some custom code, if
needed
5. Connecting Splunk and Phantom for more closer
integration
Most notable alerts from Splunk ES are now
forwarded to Phantom – automated ticket creation
Most of the tickets are automatically initiating
enrichment actions – automated ticket enrichment
Advanced incident handling capabilities: Mission
Control allows us to document and maintain our
processes inside Phantom
20. Use Cases at Norlys
Production server group
containment with 4 eyes
principle
Grab quarantined file
from an endpoint and
upload it to the malware
sandbox for analysis
Grab browsing history
from endpoint
51. CUSTOMER DELIVERY
Other Data Lakes
CLOUDON-PREM HYBRID WITH BROKERS
Platform for Machine DataPLATFORM
APPLICATIONS Future Splunk Solutions 3rd Party Plug-ins
SOLUTIONS
Mission Control
Cloud-Based Unified Security Operations
+
Splunk technology covered in this session