To explain the architect flow we need to define and design the incident lifecycle using Splunk.
Define the Incident Type
The first step when planning your incident identification and response is to create a basic outline of the flows that your SOC handles. Consider the same information in the Architect Flow in using QRadar.
Plan the Workflow for Each Incident Type
This section describes the aspects of the workflow that occur before the analyst is assigned.
Assign incidents to the flow
In Cortex XSOAR, incident classification is the process by which an incoming security event/alert is assigned to a Cortex XSOAR incident type. When you fetch security events from Splunk, the event data is ingested in JSON format. You classify the security event based on the fields (keys) from the event JSON.
Install the Splunk content pack, which includes Splunk classifiers, although you do not need to define a classifier, as all Splunk incidents are ingested as the Splunk Notable Generic incident type (when you assign incident type to the integration in Cortex XSOAR).
Pre-process incoming incidents
Usually you want to eliminate false-positives and deduplicate incidents, which enables you to maintain a clean set of incidents for analysts.
Pre-processing rules enable you to perform certain actions on security events before they are ingested as incidents in Cortex XSOAR. You perform actions when the condition of a rule is met. For example, link the incoming incident to an existing incident, or under configured conditions, drop the incoming incident altogether. You can also run a script on the incident when the conditions are met. For an example, see the Phishing Pre-Process Tutorial.
The Splunk content pack out of the box includes the Spunk Generic default playbook.