[/vc_wp_text][vc_empty_space][/vc_column][vc_column width=”1/3″][vc_wp_text][xyz-ips snippet=”metadatatime”]
[/vc_wp_text][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]As it says on the official Splunk website, this application turns machine data into answers.
But which kind of answers?
Splunk is a powerful tool to handle big amount of data and can be used for multiple purposes such as IT monitoring, SIEM or SOAR.[/vc_column_text][/vc_column][vc_column width=”1/3″][/vc_column][/vc_row][vc_row][vc_column][vc_separator][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]
In this case I want to introduce shortly how to use Splunk as a semi-SOAR platform.
First we need to discuss what is a SOAR and what is Splunk.
SOAR (Security Orchestration, Automation and Response) is a solution stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance. The goal of using a SOAR stack is to improve the efficiency of physical and digital security operations. This can be applied to compatible products and services that help define, prioritize, standardize and automate incident response functions.
On the other hand Splunk is software product that enables you to search, analyze, and visualize the data gathered from the components of your IT infrastructure or business. Splunk takes in data from websites, applications, sensors, devices, and so on. After you define the data source, Splunk indexes the data stream and parses it into a series of individual events that you can view and search.
[/vc_column_text][/vc_column][vc_column width=”1/3″][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_separator][/vc_column][vc_column width=”1/3″][/vc_column][/vc_row][vc_row][vc_column width=”2/3″][vc_column_text]
To define what is needed to use Splunk as a SOAR platform we should collect the requirements which would make our system semi-automated.
When we collect data in Splunk, we have the possibility to not just only make alerts, dashboards, reports from it even automated task can be created to help our Security or Infrastructure team handling issues more swiftly.
These script takes arguments from our search results and running these scripts with them.
For example we can create a search from our firewall logs and use the results for example from SYN-flooding logs to identify the attacking IP address and with a custom script automatically block the IP on our firewall.
Another example is to implement a python script to query Active Directory servers to identify a Distribution List members in case of a suspicious mail targeting multiple lists and we would like to find out which people affected exactly. In this scenario we can automate a mail sender script also to notify these personnel about the suspicious mail to prevent further issues.
This short post is created to introduce the possibility of converting Splunk from a SIEM to an automated response platform.