Splunk SOAR Zero Trust Application and Playbook
Support Statement
This documentation is provided "as is" without support for 3rd party software. The level of support for this integration guide is best effort without any SLA on response time. No 3rd party product support can be provided by Superna directly. 3rd party components require support contracts. See EULA for more details.
Overview
Splunk Phantom, renamed to Splunk SOAR, is a security orchestration, automation, and response (SOAR) solution. Security automation involves machine-based execution of security actions to detect, investigate, and remediate threats programmatically. This integration enables organizations to leverage the full automation capabilities of Splunk SOAR with Superna Zero Trust APIs.
Features
- A Splunk app is installed with 4 actions: health check connectivity, data snapshot, user lockout, and restore.
- 3 ready-to-use playbooks automate responses within the SOAR platform, saving administrators time by providing a ready-to-use system within minutes of deployment.
Solution Overview
Superna Security Edition Zero Trust API is the cornerstone technology used to integrate with SIEM, SOAR, and XDR platforms. Automation begins with data that summarizes the threat and places that information into security tools for SecOps action and playbook execution to protect corporate IT assets from vulnerabilities and insider or external attackers. The Splunk SOAR platform acts on container events and artifacts that provide incident details with all relevant data for playbooks and cross-domain automation.
What Is Splunk SOAR?
Splunk SOAR is a security orchestration, automation, and response solution that delivers data-driven security insights with comprehensive visibility for risk mitigation at scale.
Prerequisites
- Security Edition installed
- Splunk SOAR On-Prem installed
- HTTPS port 443 open between Splunk SOAR and the Superna Eyeglass virtual machine
- Eyeglass OS appliance version 15.5 — verify with
cat /etc/os-release
Configure Data Security Edition Integration
- Log in to Security Edition and open Integrations.
- Open the API Token tab.
- Click the + icon and provide a name for the token, for example
Splunk SOAR.
Configuration in Splunk SOAR
Install the Zero Trust App
-
Download the Superna Zero Trust App for Splunk SOAR.
-
Download the Superna playbooks for Splunk SOAR.
noteThe playbooks require the Superna app to be installed first. Unzip the zip file — it contains 3
.tgzplaybook files. -
Log in to Splunk SOAR.
-
Click Install app, then browse to the app file with the
.tgzextension and upload it. -
Configure the asset for the app:
- Enter the API token created above.
- Enter the IP address of the Eyeglass VM.
- Set a name for the asset, for example
Supernaasset. - Enter the API endpoint using the syntax
https://x.x.x.x. - Certificate validation is disabled by default because Eyeglass deploys with a self-signed certificate.
-
Click Test connectivity. This tests IP connectivity from the Splunk VM to the Eyeglass VM and issues an appliance health check API call. A success result confirms connectivity.
-
Once successfully tested, you have a fully configured application in Splunk with 4 actions and 1 asset.
Install Playbooks
- Open the Playbooks tab in Splunk SOAR.
- Click Import playbooks.
- Upload each playbook file from the zip file. Once complete, you should see 3 playbooks listed.
- Set all playbooks to active.
Use Cases for Superna Zero Trust Data Protection Playbooks
The Superna Cyberstorage Incident Response application provides industry-first capabilities to SOC managers and analysts to protect data directly during the incident response process, without requiring direct access or knowledge of storage systems.
Example incidents:
- User account is phished — Run snapshot and user lockout workflows.
- Suspected host breach by an attacker — Run the snapshot workflow to protect data and create a rollback point from an immutable snapshot.
- Large DDoS attack on the external firewall — Protect data with the snapshot workflow.
- Employee termination — Disabling an AD account is not sufficient. Running the user block action guarantees the account cannot log in to modify, delete, or exfiltrate corporate data.
Cyberstorage Incident Response Capabilities
The Zero Trust Splunk SOAR application, integration, and workflows extend offensive data protection as an action to respond to any incident within Splunk SOAR.
Superna Data Security Edition enables the following Cyberstorage Incident Response actions:
- Cyberstorage IR - Critical Data Snapshot API — Defensive response to any incident within Splunk SOAR. Creates immutable snapshots on critical data across all NAS devices protected by Superna.
- Cyberstorage IR - User Data Block — Allows SecOps to block a user and uses an approval workflow to route the request to approve a user lockout.
- Cyberstorage IR - User Data Restore — Allows SecOps to restore a user's data access and uses an approval workflow to route the request for approval or denial by the SecOps manager.
How to Use Superna Playbooks in Splunk SOAR
Open a Case
- Open a case within Splunk SOAR.
- Ensure you are in analyst view.
- Press the Playbook button.
- Filter on
supernato locate the Superna playbooks.
Run the Snapshot Playbook
- This playbook requires no inputs. It creates immutable snapshots on critical data when the threat requires defensive action, ensuring Data Security Edition can recover files from a snapshot if data was attacked.
- Select the playbook and click Run Playbook.
- A job ID is returned for the run on Eyeglass. To verify execution details, click the Activity tab and review each step's completion.
Run the User Lockout Playbook
- This playbook requires a username input during execution.
- It resolves the user's permissions to data and denies the user access to SMB shares on any protected storage device.
- The Activity tab shows the steps completing, and the widget confirms completion.
Run the Restore User Playbook
- This playbook restores permissions to a user that was previously locked out.
- It requires a username input.
- Successful completion is shown in the activity log and the widget update.