supercharge your soc with automation · splunk undertakes no obligation either to develop the...
TRANSCRIPT
![Page 1: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/1.jpg)
Supercharge Your SOC with Automation
Robert Walker, Staff Security Architect, Splunk
![Page 2: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/2.jpg)
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change at
any time without notice. It is for informational purposes only and shall not be incorporated into any contract or
other commitment. Splunk undertakes no obligation either to develop the features or functionality described or
to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2019 Splunk Inc. All rights reserved.
Forward-Looking Statements
THIS SLIDE IS REQUIRED FOR ALL 3 PARTY PRESENTATIONS.
![Page 3: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/3.jpg)
AGENDA
3
•SOAR History and the Future
•What is SOEL?
•SOAR Loser?
•Hacking Your SOEL
•Q&A
![Page 4: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/4.jpg)
KEY TAKEAWAYS
4
1. Pillars of Splunk
2. Understand SOEL and SOAR
3. Understand SOEL impacts and difference to
SOAR development
4. How to use SOEL to ensure your SOAR is
effective
![Page 5: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/5.jpg)
© 2019 SPLUNK INC.
Every problem is a data problem
Investigate | Monitor | Analyze | Act
101001101001
![Page 6: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/6.jpg)
© 2019 SPLUNK INC.
This digital evolution is changing everything There’s an explosion of data beyond anything our world has experienced
IoT
3D PRINTING SMART CITIES
CLOUD
DRONES
MACHINE LEARNING
SELF-DRIVING EVERYTHING
AUTONOMOUSEVERYTHING
DNA MAPPING AND GENETIC MANIPULATION
SMART PHONES
SMART APPLIANCES
SMART BUILDINGS
![Page 7: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/7.jpg)
© 2019 SPLUNK INC.
163 Zetabyes10X the data we have today by 2025
There’s more data than ever before
![Page 8: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/8.jpg)
© 2019 SPLUNK INC.
What makes Splunk unique as a data platform
INVESTIGATE
MONITOR
ANALYZE
ACT
![Page 9: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/9.jpg)
© 2019 SPLUNK INC.
Splunk Security Portfolio
DATA PLATFORM ANALYTICS OPERATIONS
> Universal indexing
> Petabyte scale
> Multi-schema
> Search, alert, report, visualize
> Broad support
Machine Learning Toolkit
(MLTK)
ES CONTENT
UPDATE
![Page 10: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/10.jpg)
© 2019 SPLUNK INC.
Data Capabilities In The SOC
INVESTIGATE
Incident investigationForensics
Threat hunting
MONITOR
Security monitoringCompliance
ANALYZE
Incident ResponseFraud
ACT
SOC AutomationOrchestration
Response
![Page 11: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/11.jpg)
© 2019 SPLUNK INC.
Security Operations Problems
Escalating volume
of security alerts
Resource shortage of 1
million security
professionals
Endless assembly line
of point products
Static independent controls
with no orchestration
Speed of detection, triage, &
response time must improve
Costs continue
to increase
![Page 12: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/12.jpg)
© 2019 SPLUNK INC.
Decision MakingContext
ActingDoing something
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
TIER 1
TIER 2
TIER 3
ObservePoint Products
OrientAnalytics
6 Million Dollar SOC…
![Page 13: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/13.jpg)
13
What is SOEL?Security Operations Event Lifecycle
![Page 14: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/14.jpg)
© 2018 SPLUNK INC.
Every SOC process has them
Security Operations
Events Lifecycle
Traditional Security Operation Actions
INGESTION OR
ALERTING
EXTERNAL
VALIDATION
INTERNAL
HUNTING
MONITORING
CHANGE RUN JOBS NOTIFICATIONS
![Page 15: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/15.jpg)
© 2019 SPLUNK INC.
INGESTION OR
ALERTING
EXTERNAL
VALIDATION
INTERNAL
HUNTING
CHANGE /
MONITORINGRUN JOBS NOTIFICATIONS
Threat Intel
SIEM events
Phone calls
VirusTotal
OpenDNS
iSight
Logs
Endpoint
search
Firewall Rules
IDS Signatures
Endpoint Alerts
Proxy Blocks
Malware
Analysis
Forensics
Ticketing
Reports
Poll
Push
Look
UpHunt
Set
Block/Quarantine
Analyze
Get…
Send
Receive
Events Context Artifacts Artifacts Artifacts Measure
Acti
on
sA
rtif
ac
ts
![Page 16: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/16.jpg)
© 2019 SPLUNK INC.
Splunk’s Future
SOC Vision
![Page 17: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/17.jpg)
17
Are you a SOAR
loser?What is SOAR and why I am I missing out?
It’s only for the big companies with lots of well
documented responses…
![Page 18: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/18.jpg)
DON’T BE A SOAR LOSER!Example of a industry-leading SOAR platform
SOAR = Security Orchestration, Automation, and Response
Security Orchestration is making music
Security Automation is a bread maker
Security Response is the life blood of the SOC to reduce Risk Impact
Hack your SOEL to get your SOAR on!
![Page 19: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/19.jpg)
ARE YOU THE NEXT BEETHOVEN ?
Conduct your team, processes and
tools together
▪ Work smarter by automating repetitive tasks and focus
on more mission-critical tasks
▪ Respond faster and reduce dwell times with automated
integration, investigation, and response
▪ Strengthen defenses by integrating existing security
infrastructure
![Page 20: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/20.jpg)
20
Hacking your
SOEL?Discovering your SOEL to help modernize your SOC
![Page 21: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/21.jpg)
HOW TO HACK YOUR SOEL
0Monitor
Discover
RespondMeasure
Automate
Transform
Learn
![Page 22: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/22.jpg)
USE CASE OVERVIEW
Security Analyst Use Cases
Privileged user
monitoring
Botnet Detection Fraud detection in E-
Payment
Unauthorized Service
Monitoring
Identify Patient-Zero Vulnerability
Management Posture
Fraud detection
Online Banking
Update Monitoring
Detecting Zero Day
Attacks
Threat Intelligence
Correlation
Fraud detection in
proper service usage
Website defacement
Detect and Stop Data
Exfiltration
User Account Sharing Defense in depth
investigations
Spam to external
Phishing Attacks Incident Investigation
across team’s
Give team’s the
visibility they need
SQL Injections Dynamic Risk and
Pattern Management
Monitoring of expired
user accounts
Hunter Use Cases
On Demand APT
Scanning
SSL certificate
analytics
User Agent String
analytics
CISO Use Cases
In the news! Information Driven
Security
Compliance reporting Centralized
Situational
Awareness
![Page 23: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/23.jpg)
© 2019 SPLUNK INC.
Hacking your SOEL
Suspicious
REVIEW BODY AND
HEADER INFO
QUERY
RECIPIENTS
HUNT FILE
HUNT URL
FILE / URL
REPUTATION
FILE ASSESSMENTREMOVE EMAIL
REVIEW EMAIL
![Page 24: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/24.jpg)
© 2019 SPLUNK INC.
Hacking your SOEL
Email FILE / URL
REPUTATION
DETONATE
UNKNOWN URL / FILE
HUNT FILE
HUNT URL
TASK ANALYST
PHISH / HOST
ASSESSMENTREMOVE EMAIL
INGEST EMAIL
PARSE FILES, URLS,
EMAIL HEADERS
![Page 25: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/25.jpg)
© 2019 SPLUNK INC.
INGEST INVESTIGATE CONTAIN NOTIFY DOCUMEN
TPOLL
PUSH
INGEST
SET STATUS
SET SEVERITY
CREATE
ARTIFACTS
SAVE OBJECTS
SET TAGS
FILE ANALYSIS
DOMAIN ANALYSIS
URL ANALYSIS
HOST ANALYSIS
IP ANALYSIS
LOGON ANALYSIS
RUN QUERY
GET EVENTS
DISABLE USER
BLOCK HASH
BLOCK URL
BLOCK DOMAIN
BLOCK IP
QUARANTINE
HOST
BLOCK PROCESS
DISABLE VPN
EMAIL SOC
LEADERSHIP
CHAT IT HELP
DESK
ENGINEERING
PROMPT SOC
TASK SOC
CREATE TICKET
UPDATE TICKET
CLOSE TICKET
TRANSFER TICKET
QUERY TICKETS
CREATE
ARTIFACTS
CLOSE OBJECTS
”Customer Success is our commitment and your content”
![Page 26: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/26.jpg)
KEY TAKEAWAYSCAN YOU AFFORD NOT TO SOAR WITH YOUR SOEL?
26
1.Understand SOEL and SOAR
2.Understand SOEL impacts and difference to SOAR
3.How to use SOEL to ensure your SOAR is effective
![Page 27: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/27.jpg)
27
Q&A
![Page 28: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/28.jpg)
28
Thank You
![Page 29: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/29.jpg)
29
Appendix
![Page 30: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/30.jpg)
© 2019 SPLUNK INC.
File Analysis PlaybookProcess hacking – which one is first?
► INPUT: Receive a hash and/or file
► INTERACTIONS:
► ARTIFACTS:
• P1:
• P2:
• P3:
► ACTIONS:
![Page 31: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/31.jpg)
© 2019 SPLUNK INC.
File Analysis PlaybookDefine the Artifacts for Decide and Act!
► INPUT: Receive a hash and/or file
► INTERACTIONS:
► ARTIFACTS:
• P1: Analyze, Prompt, Block Known malware (Block now)
• P2: Analyze, Sandbox, (De)Escalate (Prompt, Review)
• P3: Cache Results, Display Report (Required Manual Analysis)
► ACTIONS:
![Page 32: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/32.jpg)
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS:
VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:
• P1: Analyze, Prompt, Block Known malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:
![Page 33: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/33.jpg)
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS: VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:
• P1: Analyze, Prompt, Block Known malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:Block file
File Rep w/ rate limit
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Get File
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
![Page 34: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/34.jpg)
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS: VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:• P1: Analyze, Prompt, Block
Known malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:
Block file
File Rep w/ rate limit
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Get File
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
Get Approval
Hunt file
Hunt URL
Promote Case
Cache Hash
Store File
Analyze File
Task Forensics
Block Process
Get customer info
Get system info
Check white/black lists
Get BU info
Run query
Lookup info (Threat
Intel)
![Page 35: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/35.jpg)
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS: VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:• P1: Analyze, Prompt, Block Known
malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:Block file
File Rep w/ rate limit
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Get File
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
Get Approval
Hunt file
Hunt URL
Promote Case
Cache Hash
Store File
Analyze File
Task Forensics
Block Process
Get customer info
Get system info
Check white/black lists
Get BU info
Run query
Lookup info (Threat Intel)
![Page 36: Supercharge Your SOC with Automation · Splunk undertakes no obligation either to develop the features or functionality described or ... MACHINE LEARNING SELF-DRIVING EVERYTHING AUTONOMOUS](https://reader034.vdocuments.net/reader034/viewer/2022042221/5ec7dd450c03b812371211d3/html5/thumbnails/36.jpg)
© 2019 SPLUNK INC.
File Analysis PlaybookBuild a utility playbook for file analysis
► INPUT: Receive a hash and/or file
► INTERACTIONS: VirusTotal, ThreatConnect, CarbonBlack, Falcon Sandbox, Analyst, SMTP, CB Response, Palo Alto, Zscaler, ThreatCrowd
► ARTIFACTS:
• P1: Analyze, Prompt, Block Known malware
• P2: Analyze, Sandbox, (De)Escalate
• P3: Cache Results, Display Report, Manual Analysis
► ACTIONS:Block file
File Rep w/ rate limit
Block IP
Block Domain
Block URL
URL Rep
Domain Rep
Get File
Detonate File
Prompt Analyst
Change Severity
Change Sensitivity
Send Email
Quarantine Host
Create ticket
Get Approval
Hunt file
Hunt URL
Promote Case
Cache Hash
Store File
Analyze File
Task Forensics
Block Process
Get customer info
Get system info
Check white/black lists
Get BU info
Run query
Lookup info (Threat Intel)
2
2
2
22
2
2
2
2
2
2
2
4
3
3
3
3
4
4
3
3
5
Ingest
Investigate
Contain
Notify
Record
Utility
2
3
4
5
6