Splunk App: Trigger Devo SOAR Stream
- Jonas Gonzalez
Overview
This Adaptive Response Action enables users to trigger an On Demand Stream in Devo SOAR with an alert, notable, etc. It's helpful in scenarios where the transmission and processing time of an event is uncertain, for example if you're querying for an event over the last 30 minutes and the event takes 40 minutes to be queryable. Devo SOAR will miss this event, because it was not available during the 30 minute time window. This action allows you to send a trigger to Devo SOAR as soon as that event is available in Splunk to ensure Devo SOAR is automatically triaging 100% of your alerts + notables.
Steps to install the app
Log into Splunk.
Click the Manage Apps icon.
On the Apps page, click Install app from file.
Click Choose File, navigate to and select the app package file, then click Open.
Click Upload.
Steps to upgrade the app
Log into Splunk.
Click the Manage Apps icon.
On the Apps page, click Install app from file.
Click Choose File, navigate to and select the app package file, then click Open.
Select Upgrade app.
Click Upload.
Create an alert to trigger the app
Go to search page.
Click search after providing the search criteria for events. Example: index="notable".
Save the search as "Alert" by clicking "Save As -> Alert" button. This will navigate to a popup.
In Alert window, Configure the alert.
At the bottom, click on "Add action" and select "Trigger Devo SOAR Stream" app.
Under "When triggered" input, Please provide "Host URL", "Port" "Devo SOAR Stream URL" & "Verify SSL" inputs. Example:
Host URL: https://www.host.url.io
Port: 8443
Devo SOAR Stream URL: https://www.some.webhook.url.io
Verify SSL: TrueSave the alert.
Create a new notable event
Go to the "Enterprise Security" page.
Click on configure menu.
Select "Incident Management" option.
Select "New Notable Events" option.
Notes
You might need loadEventsFromExecutionContext operator to get the data from the Splunk app.