Splunk SOAR: Pros/Cons, Architecture, and Quick Tutorial

What Is Splunk SOAR? 

Splunk SOAR (security orchestration, automation, and response) is a platform designed to hopefully improve an organization’s security management and operations. It achieves this by automating routine tasks involved in security operations, such as incident response and threat management.

Another key aspect is its ability to integrate with various tools and systems, allowing for centralized management of security event responses. This integration provides a unified approach to security, eliminating silos and fostering improved reactions across teams.

This is part of a series of articles about Splunk SIEM

Key Features of Splunk SOAR 

Automated Playbooks

Automated playbooks are intended to streamline incident response by executing predefined workflows automatically. This automation aids in reducing response time and ensures consistency across responses. By using automated playbooks, organizations can eliminate repetitive manual tasks and direct their focus on proactive tasks or critical threats that need human expertise.

Splunk SOAR playbooks are customizable, which should allow organizations to tailor them to specific needs and scenarios. They can address a wide range of security events, from malware detection to phishing attacks. By automating these processes, organizations can quickly adapt to various threats and minimize the scope of a breach.

App Integrations

Splunk SOAR supports different app integrations, enabling it to interact with third-party security tools and applications. This capability allows SOAR platforms to serve as a central hub for security operations, facilitating communication between different systems especially for case management. Integrations expand the platform’s functionality, providing additional data sources and enhanced visibility into security threats.

App integrations also enhance the platform’s orchestration capabilities, allowing for coordinated responses across multiple tools. This interconnected environment helps eliminate data silos and fosters an integrated security strategy.

Visual Playbook Editor

The visual playbook editor in Splunk SOAR enables the creation and modification of playbooks. This tool allows security professionals to design workflows without requiring extensive coding knowledge through a drag-and-drop feature.

By providing a visual representation of workflows, the editor maps out the sequence of actions in response to security incidents to see how each step is defined and integrated with other security processes.

Case Management

Case management within Splunk SOAR provides tools for tracking, documenting, and analyzing cases. This feature allows security teams to manage all aspects of an incident from detection to resolution. Case management intends to support team collaboration, ensuring that all relevant information is shared among team members.

By centralizing incident data, case management should provide insights into trends and patterns in security threats to allow organizations to refine their security strategies over time. The intention is that incidents are resolved systematically and completely.

Related content: Read our guide to threat hunting

Splunk SOAR Limitations 

While Splunk SOAR offers automation and orchestration capabilities for enhancing security operations, it is not without its drawbacks. Here are some limitations of Splunk SOAR, as reported by users on the G2 platform:

• High cost: Splunk SOAR is expensive, making it challenging for small businesses and smaller projects to afford.
• Complexity for beginners: The platform has a steep learning curve, especially for new users, and often requires extensive training. The user interface contains a large amount of information that can be overwhelming for those unfamiliar with the system.
• Limited documentation: The available documentation may not be comprehensive enough to support all users, particularly beginners who might need more detailed guidance to effectively use the platform.
• Short trial period: The limited trial period offered may not provide sufficient time to fully explore the platform’s capabilities, leaving potential users unable to evaluate its full potential before committing.
• Occasional plugin issues: Some plugins may encounter issues such as freezing or getting stuck, and resolving these problems quickly can be difficult without access to a dedicated support team.

Splunk SOAR Architecture and Components 

Splunk SOAR architecture is designed to integrate security infrastructure, automate workflows, and centralize incident response management.

The platform consists of several key components that work together to automate and orchestrate security operations.

• App: An app is a connection to third-party security tools and technologies. It enables Splunk SOAR to perform specific actions, like retrieving data or blocking a threat, provided by the connected security systems. Some apps also offer visual elements, like widgets to display data.
• Asset: An asset is a specific instance of an app. Each asset represents a device, endpoint, or system within an organization (e.g., a firewall or server). For example, an organization can configure multiple assets for different versions of the same firewall to tailor actions based on the version.
• Container: A container holds security events ingested into Splunk SOAR. Containers are labeled to help group and organize related events. For instance, events from the same source can be grouped together to apply actions or workflows to them.
• Case: A case is a special type of container used to group related events. When multiple security events are connected, they can be consolidated into a single case. This simplifies investigations by allowing analysts to handle all related incidents together.
• Artifact: An artifact is a piece of information added to a container, such as an IP address, file hash, or email header. Artifacts provide detailed context for security events and are critical for incident analysis.
• Indicator or indicator of compromise (IOC): An IOC is a specific piece of data that signals a potential security threat, like a malicious IP address or domain. IOCs populate fields within artifacts and can trigger automated responses via the playbooks.
• Playbook: A playbook is a series of automated tasks designed to respond to security events. It acts on new data entering Splunk SOAR and can be customized to address specific incident types, automating repetitive tasks to improve response times.
• Workbook: A workbook is a template that outlines standard steps for analysts to follow during an investigation. It provides a structured process for evaluating containers or cases for analysis.
• Action: An action is a high-level command available within Splunk SOAR, like blocking an IP or suspending a virtual machine. Actions are either triggered manually or automated through playbooks and are provided by the apps connected to the system.
• Owner: An owner is responsible for managing specific assets in the organization. Owners receive requests to execute certain actions and ensure that service level agreements (SLAs) for response times are met.

Tutorial: Investigation Basics in Splunk SOAR

Splunk SOAR’s Investigation page is the central interface for examining, managing, and acting upon security events. It consolidates all relevant information about an event, offering a detailed activity history, interactive data views, secure file attachments, and integration with automation tools.

Main Areas of the Investigation Page

Activity feed

This feed provides a chronological history of actions and playbook executions for the event. Security teams can track the status of each operation, from successful completions to ongoing tasks. The activity feed also supports inline collaboration, allowing team members to discuss actions and share notes directly within the context of the event.

Case management integration

Once an event is verified as significant, it can be promoted to a “case.” The case management functionality allows security teams to track and resolve incidents according to predefined Standard Operating Procedures (SOPs). Playbooks and automation actions can be launched directly from the case.

Event details

The Events section in the home menu shows active events. Once an event is selected, users can choose between two main views for investigation:

• Summary view: Offers a high-level overview of the event or case, displaying its current status.
• Analyst view: Provides more in-depth access, including the ability to execute actions such as running playbooks, editing workbooks, and viewing artifacts.

Running Playbooks

While many playbooks in Splunk SOAR are set to run automatically, manual execution may be necessary for certain scenarios. To manually run a playbook, follow these steps:

1. In the Analyst view of the selected event, click on the Run Playbook button.
2. Choose the playbook from the list of available options. Recommended playbooks appear at the top.
3. Set the scope of the playbook run:

• New artifacts: Run the playbook on newly collected artifacts.
• All artifacts: Include all artifacts in the playbook run.

4. View the progress and results in the activity panel, where detailed information about each action is displayed. You can also cancel the playbook run if needed.

Source: Splunk

Exabeam: Ultimate Alternative to Splunk SOAR

Exabeam’s Automation Management within the New-Scale Platform offers a compelling alternative to Splunk SOAR, providing a fully integrated, vendor-agnostic security automation experience. The platform stands out with its focus on simplified workflows, flexible playbook design, and open integration capabilities, making it an effective solution for simplifying security operations.

Key benefits of Exabeam compared to Splunk SOAR:

1. Modular playbook design: Unlike Splunk SOAR, which may require separate playbooks for different workflows, Exabeam’s modular approach allows a single playbook to support multiple decision trees. This simplifies playbook development, saving time and effort by eliminating the need to build new workflows from scratch. Security teams can quickly adapt to changing threat conditions while maintaining efficient processes.
2. Open API Standard (OAS) compatibility: Exabeam is the first platform in the industry to fully embrace the Open API Standard (OAS), allowing for seamless integration with thousands of third-party tools. Security teams can easily connect and interact with different vendors’ APIs and software development kits, making the integration process faster and less complex than Splunk SOAR’s sometimes challenging app setup.
3. Low-code/no-code environment: Exabeam’s low-code and no-code options for building automation workflows cater to both seasoned developers and beginners. This feature reduces the learning curve and improves accessibility for users at various skill levels. While Splunk SOAR may require more training and technical knowledge, Exabeam allows quicker onboarding and smoother playbook customization.
4. Fully integrated threat center: Exabeam’s automation capabilities are fully embedded within its New-Scale Threat Center, eliminating the need to switch between separate products. Users can manage automation, run playbooks, and monitor events without leaving the platform. In contrast, Splunk SOAR often requires navigating different interfaces, potentially slowing down response times.
5. Simplified incident response and collaboration: Pre-built playbooks and standardized actions in Exabeam enable faster threat detection, investigation, and response (TDIR). Security teams can easily modify, clone, or disable playbooks as needed, promoting rapid customization and collaboration across the organization. This reduces resolution times and ensures consistent workflows without the overhead of Splunk SOAR’s sometimes overwhelming interface.

By focusing on reducing complexity and enhancing automation through flexibility, Exabeam emerges as an appealing choice for organizations seeking scalable security orchestration and automation beyond what Splunk SOAR offers.

Get a demo and see Exabeam in action