Reduce Operational Complexity with Splunk SOAR Logic Loops

Last week, we released Splunk SOAR 6.2 (Security Orchestration Automation and Response) and in the accompanying announcement blog, we highlighted some of the new key features found in this release. Today, we want to take a more in-depth look at one of those features, logic loops, and show how they make it easier than ever for security engineers and analysts to save time and cut down on repetitive manual tasks. This new iterative function allows users to automatically retry playbook actions if they fail, or continue with the rest of the playbook when an action succeeds. Logic loops can be applied to use cases like sandbox engines for malicious URL quarantine and remediation as well as forensic investigation workflows. 

The following demo showcases how you can set up logic loops and some sample scenarios where you might use them.

Low-Code Approach

You can configure logic loops directly in the Visual Playbook Editor with an intuitive user interface and reduce time to build playbooks. Looping functionality can be easily enabled with the simple toggle option from the Loop tab on available blocks, no coding required!

Enhance Your Playbooks

Logic Loops are available on Action, Utility and Playbook blocks for expanded use-cases. From the Loop tab on each of these block types, users can configure the following settings:

• Loop Configurations: Set the maximum number of times a loop should execute and how long pauses should occur between loops.
• Timeout Settings: Set a timeout value for a block to automatically end a function after a set amount of time.
• Exit Conditions: Set a specific condition that will cause a loop to finish.

Users can also quickly and easily start debugging as needed via the loop icon in the debugger function of the Visual Playbook Editor.

Solve Multiple Security Scenarios

Logic Loops can help make investigations a breeze. Let’s say you need to run a real time response playbook on a suspicious host. Doing this process manually would require you to keep checking the host to see if the process is completed in order to get the information needed to start the next part of your response process. Loop functionality allows you to run a playbook that can continually check the host until it identifies the process has been successfully completed and then automatically kick start the next phase.

Need to start a malicious file detention workflow while using a sandbox environment? Logic Loops allow you to set up recursive action blocks that can check the sandbox at specified intervals until the desired response is triggered and then move right into the next phase of the workflow without the need for manual input.

Conclusion

We’re excited to see how users will implement logic loops into their security and automation best practices. Be sure to let us know what you think of logic loops over in the Splunk SOAR Community and if you have an idea or request for a new feature, please let us know by submitting them to Splunk Ideas. In our next look at Splunk SOAR 6.2, we’ll take a closer look at the new Panorama and FortiManager firewall apps.

Now get out there and get automating!