It’s Friday at 3:59pm. A potential phishing attempt is detected by your SIEM and it triggers a SOAR playbook to automatically analyze the email. This analysis returns malicious indicators such as malicious URLs and command-and-control IP addresses, which need to be blocked across the network security infrastructure managed by the network security team. In order to move forward with the investigation, you need approval from the network security team. You send a Slack message. 5 minutes pass by and no answer. Maybe email is better? Send. No reply 30 minutes later. Maybe you should issue a ticket? You check your phone to see if you have the cell phone number of one of the team members.
This isn’t working. This out-of-band communication can add potentially hours, if not days, to an investigation and response workflow, and it’s not scalable.
Let’s try this again.
It’s Friday at 3:59pm. A potential phishing attempt is detected by your SIEM, Splunk Enterprise Security, and it triggers a Splunk SOAR playbook to automatically analyze the email. This analysis returns malicious indicators such as malicious URLs and command-and-control IP addresses, which need to be blocked across the network security infrastructure managed by the network security team. Now, prompt-driven automation in Splunk SOAR sends an approval request directly to the network security team delivered via any Splunk SOAR-supported ITOps, ChatOps, or Ticketing application. The prompt asks simple, straightforward questions. The network security team quickly sees the request inline with their normal workflows, answers the questions, approves it, and then the Splunk SOAR playbook automates the blocking of malicious URLs/IPs across network security technologies such as firewalls or secure web gateways. The same prompt can also be sent to the end-user to verify if they entered their corporate credentials on the phishing website, which can further automate the reset of their username and password. And this was all done in minutes, not hours or days.
Much better. Fast, efficient, and inline with normal workflows across the security team, network security team, and any team external from the SOC (IT, HR, Legal, end-users). Contacting these teams is often crucial to ensure that security investigations progress quickly and effectively, increase SOC responsiveness, and resolve more incidents faster. Streamlining these interactions is essential for a more agile and inclusive security strategy.
This is prompt-driven automation, a new feature included in the recently released Splunk SOAR version 6.3. Let’s see a demo.
Prompt-driven automation lets you send real-time, secure prompts to teams outside the SOC to streamline response workflows and resolve security incidents faster.
Get started with prompt-driven automation today with the latest version of Splunk SOAR. Check out our Tech Talk, watch the webinar, or dive into release notes.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.