Splunk SOAR Explained - Achieving Security Orchestration

This video focuses on how security orchestration is achieved within Splunk SOAR through the use of apps. These apps enable the integration and coordination of security functions by connecting various security tools, allowing programmatic control over security actions. With over 350 apps available, spanning a wide range of technologies, each app is essentially a Python module designed to authenticate and interact with other services, primarily using APIs. Custom apps can also be created to integrate proprietary in-house tools, with extensive documentation and a wizard to assist in app development. These apps allow Splunk SOAR to automate security tasks, such as querying email accounts or blocking IP addresses, and can be customised and modified as needed, with 30% of the apps contributed by the community.

Each app in Splunk SOAR contains a set of actions, such as blocking an IP or terminating a session, with actions standardised across apps to simplify Playbook creation. These apps can be linked to specific assets, like firewalls or external services, with role-based permissions controlling access. For certain high-risk actions, such as modifying a firewall, an approval process is built in, with primary, secondary, and executive escalation paths ensuring proper authorisation. This detailed orchestration and automation process helps streamline and enhance security operations, providing a powerful tool for managing and integrating diverse security systems efficiently.