After you define the instance and start ingesting incidents, the Spunk Generic default playbook assigned to the Splunk incident type automatically processes the incoming incidents. No additional steps are required from the analyst to initiate the playbook run/incident-handling process.
You can change the default playbook by selecting → → → → → . You need to either duplicate or detach the incident type to edit.
Playbook Inputs
Every playbook has inputs that help determine how the playbook flows. The inputs (and outputs) are configured at the beginning of the playbook, under Playbook Triggered.
For a full description of each of the inputs for this playbook, see the playbook documentation. For the purposes of this tutorial, we focus on the following Splunk Generic playbook inputs:
Enrich: Determines whether you want the playbook to enrich all of the indicators in the incident (default is true). As enrichment can be a very resource intensive operation, you may want to change this setting to false and enrich only specific indicators and only using certain integrations.
If you do want to enrich indicators, you should ensure that you have enabled at least one of the out-of-the-box enrichment integrations, such as AutoFocus or VirusTotal.
UseCalculateSeverity: Determines if the severity of the incident is set based on the Calculate Severity playbook (default is true), or if you want to set the severity based on the Splunk severity value. If you configured the playbook to use the Calculate Severity playbook, the playbook takes the information from the enriched indicators and provides a severity based on the DBot score.
Enrich Indicators
In the playbook inputs, if you select to enrich all of the indicators from the incident, the playbook extracts the indicators and uses whichever integrations you have enabled for the enrichment. Enriched indicators provide the analyst with more information about each indicator.
The Entity Enrichment - Generic v2 playbook checks for information about all kinds of indicators, including malicious URLs, domains, or IP addresses. It can also check against a list of VIP assets in your organization that might have been targeted, or detonate a file that was attached to the incident.
While these capabilities are available in the playbook, they are only available if you have enabled or installed integrations for these checks, such as VirusTotal or Threat Crowd. For information about enabling additional integrations, see the integration documentation.
Manual Investigation
After the playbook gathers all of the relevant data, an SLA timer is triggered and the incident is assigned to an analyst for manual investigation. The manual investigation task requires that the analyst intervene to determine if the incident is a true positive or false positive.
If the incident is a true positive, an incident report is generated and the necessary remediation steps are taken.
If the incident is a false positive, the analyst can use the Provide data for rule adjustment task (Questions tab) to provide information that can help fine-tune the system for future cases.
 |
The feedback from the analyst is sent to the Splunk administrator so they can review the suggested changes and make any necessary adjustments.