In a world where attackers are continually devising more sophisticated ways to breach enterprises, the value of automation has become critically important. To make matters worse, today's SOC is grappling with swivel chair movement across various security products, which sometimes includes a standalone automation product. SOCs are faced with the additional burden of integrating a standalone SOAR with their existing SIEM while fragmenting context across separate products, which, in reality, should always have been a unified platform.

Splunk SOAR solves all these problems by taking a unified threat detection, investigation, and response (TDIR) approach. This new approach makes security operations easier, more efficient to get a SOC closer to reducing mean time to detect and respond. This unified approach to building and consuming automation sets Splunk SOAR apart from many standalone automation products in the industry. Building on the feature-rich Splunk SOAR, we are proud to deliver a series of innovations that work together to achieve superior outcomes for enterprises.

The Splunk SOAR product team has been hard at work to do just that, and is delivering a series of innovations to Splunk SOAR over the next few weeks across two key releases - Splunk SOAR 6.3.0 and 6.3.1. These updates constitute a significant evolution in how security practitioners can implement, use, and leverage security automation in the SOC more efficiently.

SIEM and SOAR: A Match Made in Heaven

At .conf24, Splunk announced Splunk Enterprise Security (ES) 8.0 - a revolutionary step forward that natively integrates Splunk SOAR with Splunk Enterprise Security. This revolutionizes the consumption model for automation within a SOC, bringing automation to all tiers of analysts thereby democratizing the SOC. Delivering on the promise of the SOC of the Future, with SOAR Release 6.3.0, Splunk SOAR is now ready to integrate with Enterprise Security 8.0:

• Splunk customers can now pair Splunk SOAR and Splunk ES within seconds without worrying about data formats or setting up different apps.
• Splunk SOAR playbooks and actions are now directly integrated within the Splunk Enterprise Security analyst queue. You can run playbooks and see the results of those playbooks without leaving the Splunk Enterprise Security interface.
• The "Automation Rules" feature in Splunk Enterprise Security lets you create automation rules to assign playbooks to specific detections so that playbooks run automatically when your selected detections produce findings. This not only provides better visibility and control over what playbooks are being triggered automatically, but also supports both generic enrichment and hyper-specific automation use cases.

See below how Splunk Enterprise Security and Splunk SOAR seamlessly integrate to provide the best SecOps experience available today.

As you can see below the "Run Playbook" button is directly integrated into the analyst queue where an analyst can simply select findings and run automation on them with a single click of the button without ever navigating away from the ES user interface.

In the screenshot below, you see an open investigation with built in Response Plans that provide prescriptive guidance to the analyst with suggestions on what playbooks can be run as part of this investigation. This allows the analysts to orchestrate playbooks from within an investigation in just a few clicks.

Prompt-Driven Automation: Collaborative Security Operations that Go Beyond the SOC

SecOps teams continue to face challenges in responding to threats efficiently due to fragmented tools and siloed teams. Effective communication with teams like IT, Network Security, HR, Legal, and end-users is crucial for informed security decisions. However, much of this communication occurs out-of-band, reducing SOC responsiveness and potentially alienating end-users. Streamlining these interactions is essential for a more agile and inclusive security strategy.

With Prompt-driven automation, you can send real-time, secure prompts to teams outside the SOC-like IT and HR-to streamline response workflows and resolve security incidents cases faster.

But why would someone outside the SOC need to assist in a security investigation?

Consider this scenario: a potential phishing attempt is detected,triggering a playbook to analyze email. This analysis returns Indicators of Attacks (IOAs), such as malicious URLs and command-and-control IP addresses, which need to be blocked across the network security infrastructure managed by the network security team. Here, Prompt-driven automation sends an approval request to the network security team. Once approved, the system automates the blocking of malicious URLs/IPs across the network security technologies such as firewalls or secure web gateways. The same prompt can also be sent to the end-user to verify if they entered their corporate credentials on the phishing website, which can further automate the reset of their username/password.

With the new Splunk SOAR release, these external prompts are sent directly to the end-user with simple, straightforward instructions. Delivered through over 300+ SOAR integrated tools, these prompts enable faster response time from end-users, allowing the SOC to respond to incidents more quickly, efficiently and effectively.

Guided Automation with Real Incident Data

Splunk SOAR has long offered a feature-rich, powerful visual playbook editor that enables customers to build highly sophisticated automations, including custom code. While we acknowledge the importance for this customizability, we're also focused on making automation faster, easier and more accurate. It's important to remember that automation isn't a one-size fits all solution - low code options are only effective when the automation author has a clear understanding of both the data and the process flow.

With Splunk SOAR's new "guided automation" feature, playbook building is easier than ever. Guided automation unlocks a whole new visual experience overlaying real incident data atop the logical sequencing in a playbook. This superimposition not only drastically reduces the time to build automation but also improves accuracy as you can see output results in each individual playbook block based on real incident data.

Now, security analysts and automation engineers can:

• Build automation playbooks more easily with intuitive at-a-glance data visualizations that show data in the context of specific security investigations
• Build faster with suggested actions to quickly add the right action blocks, filters, and prompts with a single click
• Build accurately by visualizing results rooted in real data from individual blocks

These enhancements ensure that automation playbooks are built and deployed rapidly to protect organizations from ever-evolving threats.

SOAR Wayfinder: Quick and Easy UI Navigation

The Splunk SOAR team is also excited to introduce Wayfinder, a powerful new feature that puts all of your automation data at your fingertips. Wayfinder offers a streamlined discovery and navigation experience, allowing you to navigate effortlessly through the Splunk SOAR interface. With keyboard shortcuts, you can now instantly access key incidents, playbooks, and critical information for a smoother and efficient experience.

How does it work? Wayfinder provides:

• Keyboard-driven navigation: Skip the menus and jump directly to what you need with the "." key.
• Dynamic content discovery: Easily search for tasks, playbooks, or pages, with Wayfinder surfacing relevant results as you type.
• Metadata-rich guidance: Dynamic results are accompanied with helpful metadata, ensuring you quickly reach the right destination.

Wayfinder makes navigating Splunk SOAR faster, easier, and more intuitive than ever.

Splunk SOAR Achieves FedRAMP Moderate Certification

We're excited to announce that Splunk SOAR is now FedRAMP Moderate certified. This highlights Splunk's unwavering commitment to delivering secure, reliable solutions for the US Public Sector. FedRAMP certification provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Government and public sector security teams can automate security operations, investigations, and incident response with Splunk SOAR and be confident that the technology meets strict federal requirements.

Splunk SOAR Evolved, Starting Today

A new way to SOAR is here, and it's time to experience it firsthand. Dive into the powerful new features and capabilities of Splunk SOAR. Watch our demo, explore the extensive documentation, and take the first step toward transforming your security automation today!

Public link

Please use the above public link if you want to share this noodl on another website.