dashboard
WEEK_4 · DAY_27 · 1 HOUR
SOAR Playbook Authoring
Automate the analyst — Splunk SOAR (Phantom)
Learning Objectives
- ›Understand SOAR concepts: playbook, asset, action, artifact
- ›Author a brute-force response playbook
- ›Add human approval gates for destructive actions
- ›Measure analyst time saved
Module 1 — SOAR Concepts
Playbook — visual workflow (drag-and-drop or Python).
Asset — a configured connection (Splunk, AD, firewall, EDR).
Action — atomic operation (lookup IP, disable user, block at FW).
Artifact — IOC inside an event (IP, user, hash).
Module 2 — Common Playbooks
Phishing triage: parse email, extract artifacts, detonate URL, score, notify, block at gateway.
Brute force: enrich src IP (geo + threat), check if user is real, block at firewall (with approval).
Malware: isolate host (EDR), kill process, quarantine file hash globally.
Module 3 — Approval Gates
Always include a human approval step for destructive actions (firewall block, account disable, host isolate).
Auto-actions for read-only enrichment.
Lab 27 — Brute Force Playbook
- Notable: N-2041 (Brute Force).
- Sketch a playbook: enrich src_ip (geo, threat) → check user exists → block at FW (approval) → notify.
- Decide which steps are auto vs approval-gated.
- Estimate time saved per incident (typically 15-30 min).
Key Takeaways
- ✓Auto enrichment, gate destructive actions
- ✓SOAR multiplies analyst output 5×
- ✓Splunk SOAR (Phantom) integrates natively with ES