Cisco Security and Splunk SOAR

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company  — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Product Integrations

• Secure Endpoint: Splunk SOAR (formerly Phantom) Supported Actions with Secure Endpoint •test connectivity - Validate the asset configuration by attempting to connect and getting the version of the API ... •list endpoints - List all of the endpoints connected to Secure Endpoint (FireAMP) •hunt file - Search for a file matching a SHA256 hash across all endpoints •hunt ip - Search for a given IP •hunt url - Search for a given URL •get device info - Get information about a device given its connector GUID Product page: https://my.phantom.us/4.5/apps/?search=FireAMP
• Secure Malware Analytics: There is simple “playbook”, or automated security operations procedure, which demonstrates using Phantom and Cisco to investigate a security alert associated with a questionable URL •use Secure Malware Analytics to investigate the URL and get a threat score •If the threat score is over a threshold value, I block the IP associated with the URL using Cisco Secure Firewall ASA Here is a another sample playbook utilizing Cisco products. •A playbook starts with a security alert associated with a questionable file •The file's hash is passed to Secure Malware Analytics •The resulting threat score is then analyzed and if over a defined threshold, an action is taken to automatically list all endpoints with the file in question and create a ticket that describes them •This playbook could just as easily take a remediate action such as locking down the endpoint with Cisco ISE
• SecureX Threat Response: Splunk SOAR user, or an automated playbook/action, initiates a query to SecureX threat response for verdicts or sightings of an observable and render in a table
• Kenna: Splunk can generate incidents using the Kenna Security app on Splunkbase