Configure automation rules to run playbooks based on findings in Splunk Enterprise Security
Set up automation rules to run one or more Splunk SOAR playbooks whenever one or more specified detections or ingestion configurations produce findings in Splunk Enterprise Security. For example, you might want to run a phishing detection playbook on all of your findings that include emails or run a specific playbook that resets user accounts and looks for login activity in the event of a leaked credential alert.
Specifications and limitations
Use automation rules only with the following components:
-
detections that produce a finding on the analyst queue
- ingestions by apps into the system, producing a finding on the analyst queue
This option works only with apps that ingest Enterprise Security data. For details, see Configure apps in Splunk Enterprise Security.
-
playbooks of type Splunk Enterprise Security (not SOAR or Input playbooks)
Automation rules, pairing, and permissions
The Automation rules page is only visible when Splunk Enterprise Security and Splunk SOAR are paired. You must have Splunk SOAR privileges to create and edit automation rules.
If you created automation rules while paired with one Splunk SOAR stack, and then later paired your Splunk Enterprise Security instance with a different Splunk SOAR stack, the automation rules display the configured detections, but do not display the associated playbooks, because they exist in the original Splunk SOAR stack that is no longer paired.
If you do not have SOAR permissions, you can view the Automation rules page, but you cannot add or edit automation rules.
Create an automation rule
Automation rules are triggered when findings are created by either the detections or ingestions you specify. So you can add, just detections, just ingestions, or both.
To create an automation rule, follow these steps:
- In Splunk Enterprise Security, select Configure, and then select Splunk SOAR.
- Select Automation rules, and then select + Automation rule.
- Enter a unique, descriptive name for the automation rule or accept the default name. You cannot change this name after you save the automation rule.
- Select + Detection and select a detection that will trigger the selected playbooks to run. All added detections must have status set to on. Use the search field to find a detection with a specific name or use filters to find detections that are associated with a specific app or based on whether the detection status is on or off.
-
Select + Detection. Search for detections by name, associated app, or status.
-
Select one or more detections, then select Add Detections.
You cannot select detections that are already used in an automation rule. For details, see the note in Specifications and limitations.
-
Optionally, repeat these steps to add new detections.
- Select+Ingestion source.
- Select an asset that is configured to ingest Enterprise Security data to bring findings into the analyst queue.
- Optionally, select the plus sign (+) to add more assets to the automation rule.
- Switch the toggle to the On position to set your automation rule to active. Switch the toggle to the Off position to save the automation rule and activate it at a later time.
-
Select + Playbook and select a playbook from the list of available Splunk Enterprise Security playbooks. Use the search bar to find a playbook with a specific name.
Select Save.
Optionally, repeat these steps to add another playbook to the automation rule.
- When you are satisfied with your automation rule, select Save. The automation rule displays on the Automation rules page. The name of each automation rule also displays in the Details section of the corresponding Edit event-based detection or Edit finding-based detection page.
Edit or delete an automation rule
Follow these steps to edit an automation rule:
- In the list of available automation rules, locate the rule that you want to edit. You can expand the automation rule to see the detections, ingestions and playbooks it works on.
- Select the pencil icon
for that automation rule.
- Edit the rule. Following are some edit actions that you can perform on the automation rule:
- Add or remove playbooks
- Add or remove detections
-
Add or remove ingestions
- Change whether the automation rule is on or off.
- Delete the automation rule by selecting the Delete button.
- Select Save. The updated automation rule displays on, or is removed from, the Automation rules page.
Playbook run prioritization
If a finding triggers multiple playbooks within an automation rule, the playbooks run based on the time they are received by Splunk SOAR. The first playbook to reach Splunk SOAR is the first playbook to run (also known as first in, first out or FIF0 order).
See also
For more information on detections and findings, see the Splunk Enterprise Security documentation:
- Use detections to search for behavioral patterns in Splunk Enterprise Security
- Create event-based detections in Splunk Enterprise Security
- Create finding-based detections in Splunk Enterprise Security
- Splunk SOAR (Cloud): Use playbooks to automate analyst workflows in Splunk SOAR (Cloud)
- Splunk SOAR (Cloud): View the list of configured playbooks in Splunk SOAR (Cloud)
- Splunk SOAR (On-premises): Use playbooks to automate analyst workflows in Splunk SOAR (On-premises)
- Splunk SOAR (On-premises): View the list of configured playbooks in Splunk SOAR (On-premises)
- Splunk SOAR (Cloud): Create custom severity names and control severity inheritance.
- Splunk SOAR (On-premises): Create custom severity names and control severity inheritance.