Splunk SOAR Zero Trust Application and playbook

Home Top

• Overview of Splunk On premise SOAR Solution
• Support Statement
• Limitations
• Solution Overview
• Features
• What is Splunk SOAR?
• Solution Configuration in Splunk Enterprise and Defender Zero Trust
• Prerequisites
• Configure Data Security Edition Integration
• Configuration in Splunk SOAR
• Use Cases for Superna Zero Trust Data protection playbooks
• Cyberstorage Incident Response - Capabilities
• How to use Superna Playbooks in Splunk SOAR

Overview of Splunk On premise SOAR Solution

1. Splunk Phantom, renamed to Splunk SOAR, is a security orchestration, automation, and response (SOAR) solution. Security automation involves machine-based execution of security actions to detect, investigate and remediate threats programmatically.  Customers can now leverage the full automation capabilities of a SOAR with Superna Zero Trust API's.

Support Statement

1. NOTE:  This documentation is provided "as is" without support for 3rd party software.  The level of support for this integration guide is best effort without any SLA on response time.  No 3rd party product support can be provided by Superna directly.  3rd party components require support contracts

Limitations

1. 
   

Solution Overview

Superna Security Edition Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR and XDR platforms.   Automation begins with data that summarizes the threat and places that information into a security tools to be acted on by Secops and run playbooks to protect corporate IT assets from vulnerabilities and insider or external attackers.   The Splunk Soar platform can act on container events and artifacts that provide details on the incident with all relevant data provided to act on with playbooks and automation cross domain.

Features

1. A Splunk app is installed with 4 actions (Health check connectivity check, data snapshot, user lockout and restore)
2. 3 Playbooks are also available to automate responses within the SOAR platform, this save the administator time to create playbooks and use cases and provides a ready to use system in minutes after deployment.

What is Splunk SOAR?

Splunk SOAR is a data-centric, modern security information and event management (SIEM) solution that delivers data-driven insights for full-breadth visibility into your security posture so you can protect your business and mitigate risk at scale.

Solution Configuration in Splunk Enterprise and Defender Zero Trust

Prerequisites

1. Installed Security Edition
2. Installed Splunk SOAR On Premise 
3. https port 443 port open between Splunk SOAR and Superna eyeglass virtual machine.
4. Eyeglass OS appliance version 15.5
   1. cat /etc/os-release    

Configure Data Security Edition Integration 

High Level steps

1. Create API token
   1. Login , open Integrations, api token tab, + sign and provide a name for the token example Slunk SOAR

   
   

Configuration in Splunk SOAR

1. Download the Superna Zero Trust App for Splunk SOAR here,  
2. Download the Superna playbooks for Splunk SOAR from here.  NOTE: These playbooks require installation of the Superna app to be completed first. 
   1. Unzip the zip file and 3 tgz files should be inside the zip file.  Follows steps below.
3. Install Zero Trust App
   1. Login to Slunk SOAR
      1. 
      2. Click install app
         1. 
         2. Browse to the app file with tgz extension and upload the app
         3. Configure the asset for the app to input the api token created above and the ip address of the eyeglass vm.
         4. Create a name for the asset example Supernaasset
         5. 
         6. Input the api endpoint with syntax shown above https://x.x.x.x
         7. Input the api token
         8. The default is disabled cert validation since Eyeglass deploys with a self signed cert.
         9. Click the test connectivity button.   This will test ip connectivity to the Eyeglass VM from the Splunk VM and issues appliance health check API and returns success if successful.
            1.  
4. Once successfully tested you should have a fully configured application in Splunk with 4 actions and 1 asset
   1. 
5. Install playbooks
   1.  Open the playbooks tab in Splunk SOAR
   2. Click import playbooks
      1. 
      2. 
      3. Upload each playbook file from the zip file.  Once completed you should see 3 playbooks listed.
      4. Make sure all playbooks are set to active
      5. 
6. Installation complete

Use Cases for Superna Zero Trust Data protection playbooks

1. The Superna Cyberstorage Incident Response application provides industry first capabilities to SOC Managers and analysts to protect data directly during Incident response process without needing any direct access or knowledge of storage systems.
2. Incident Examples
   1. User account is phished
      1. Run Snapshot and user lockout workflows
   2. Suspected host breach by an attacker
      1. run snapshot workflow to protect data and provide a roll back point from an immutable snapshot
   3. Large DDOS attack on external firewall
      1. Protect data with snapshot workflow
   4. Employee termination
      1. Disabling an AD account is not enough, running user block action guarantees that user account cannot login to modify , delete or take corporate data

Cyberstorage Incident Response - Capabilities

1. Zero trust Splunk SOAR application, integration and workflows to extend offensive data protection as an action to respond to any incident within Splunk SOAR.
2. Superna Data Security Edition Integrations enable the following Cyberstorage Incident Response Actions.
   1. Cyberstorage IR -  Critical Data Snapshot API as defensive response to any incident within Splunk SOAR.  This creates immutable snapshots on critical data on all NAS devices protected by Superna.
   2. Cyberstorage IR - User Data Block - Allows SecOPS to block a user and leverages approval workflow to route request to approve a user lockout
   3. Cyberstorage IR - User Data Restore - Allows SecOPS to restore a users data access and leverages approval workflow to route request to approve or deny a user restore by the SecOPS manager 

How to use Superna Playbooks in Splunk SOAR

1. Open a case within Splunk SOAR
   1. 
   2. To run a playbook ensure you are in analyst view
   3. Press the playbook button
      1. 
      2. Filter on superna
      3. 
2. Running the snapshot playbook
   1. This playbook does not require any inputs and will create immutable snapshots on critical data if the threat requires defensive actions.  This ensures Superna Data Security Edition can recover files from a snapshot if data was attacked.
   2. Select the playbook and click run Playbook
   3. The job ID is returned that ran on Eyeglass.  To verify details of the playbook execution click the activity tab and review each steps completion.
   4.   
3. Running the User lockout playbook 
   1. This playbook requires a username input during execution.
   2. This playbook will resolve the users permissions to data and deny the user access to SMB shares on any protected storage device.
   3. 
   4. The activity tab details will show the steps completing.
      1.  
      2. The widget also shows completetion.
      3.  
4. Running the restore user playbook
   1. This playbook is used to restore permissions to a user that was previously locked out.
      1. 
      2. This playbook requires user input for the username
      3. 
      4. Successful completion will show activity log and widget update
      5. 
5. Done. 

© Superna Inc