.. _trackme_app_on_soar: TrackMe App on SOAR: Automate and interact with TrackMe from Splunk SOAR ======================================================================== .. admonition:: About TrackMe App on SOAR - **TrackMe App on SOAR** is an application for **Splunk SOAR** that allows you to automate tasks and interact with TrackMe, transparently from your SOAR environments. - You can download TrackMe App on SOAR from our release WebSite: https://downloads.trackme-solutions.com/trackme-app-on-soar or our GitHub repository: https://github.com/trackme-limited/trackme-app-on-soar - With the TrackMe App on SOAR, you can automate various actions in TrackMe, such as retrieving TrackMe entities realtime statuses, updating their key behaviour parameters, or interacting with TrackMe features such as the Machine Learning capabilities. - Working in collaboration with TrackMe, SOAR users can leverage the TrackMe App on SOAR to extend and enrich the workflow, and fulfill any kind of sophisticated requirements. Overview of the TrackMe App on SOAR ----------------------------------- **The TrackMe App on SOAR documentation can be consulted directly in SOAR once the application has been installed:** .. image:: img_v2/admin_trackme_app_on_soar/screen001.png :alt: screen001.png :align: center :width: 1200px :class: with-border *Overview of a TrackMe Asset in SOAR:* .. image:: img_v2/admin_trackme_app_on_soar/screen002.png :alt: screen002.png :align: center :width: 1200px :class: with-border **You can also consult the README from our GitHub repository:** - https://github.com/trackme-limited/trackme-app-on-soar/blob/main/README.md SOAR TrackMe actions overview ----------------------------- **See the TrackMe App on SOAR builtin documentation for a complete and update to date list of actions (or in the README from our GitHub repository):** .. image:: img_v2/admin_trackme_app_on_soar/screen003.png :alt: screen003.png :align: center :width: 1200px :class: with-border **Each action makes use of the TrackMe API endpoints to interact with TrackMe, and provide various options, you can for instance update the key parameters of TrackMe Entities:** .. image:: img_v2/admin_trackme_app_on_soar/screen004.png :alt: screen004.png :align: center :width: 1200px :class: with-border .. image:: img_v2/admin_trackme_app_on_soar/screen005.png :alt: screen005.png :align: center :width: 1200px :class: with-border SOAR TrackMe usage example -------------------------- **In the following example, we leverage the TrackMe App on SOAR to update a TrackMe entity Acknowledgement status:** .. image:: img_v2/admin_trackme_app_on_soar/screen006.png :alt: screen006.png :align: center :width: 1200px :class: with-border .. _forwarning_notables_to_soar: Forwarding TrackMe Notable Events to SOAR ----------------------------------------- **The ideal and recommended configuration is to forward TrackMe Notable Events to Splunk SOAR, using the Splunk App for SOAR Exports, the following documentation details step by step the best practices configuration.** Pre-requisites ^^^^^^^^^^^^^^ Splunk App for SOAR Export ########################## The Splunk App for SOAR export should be installed and configured in your Splunk environment, so you can forward Splunk events to SOAR, see: - https://splunkbase.splunk.com/app/3411 Splunk App for SOAR and Splunk/SOAR integration ############################################### You should also ideally have already configured Splunk SOAR to forward all events to your Splunk environment, this is notably valuable to allow having overlap in your SOAR forwarding rule and ensure that you can never miss any event that should be forwarded to SOAR. - https://splunkbase.splunk.com/app/6361 - https://docs.splunk.com/Documentation/SOARApp/1.0.71/Install/Configureremotesearch Create a new Label in Splunk SOAR ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You should want to create a new label for TrackMe Notable Events in SOAR: - Name: TrackMe Notable .. image:: img_v2/admin_trackme_app_on_soar/soar_label.png :alt: soar_label.png :align: center :width: 1200px :class: with-border Create the Splunk report for TrackMe Notable Events ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Start by creating a fresh new report that will be called in the Splunk App for SOAR Export: - Name: SOAR Forward TrackMe Notable Events - Share: the report **must** be shared to globally so it can be called from the SOAR Export app - Earliest / Latest: -60m / now (if we want to use overlapping with SOAR) - code: .. hint:: The following code is an example, you may need to adjust it to your specific environment and use case. - Ensure to update the subsearch and the label if you choose a different label for TrackMe Notable Events. - The subsearch technique is used in combination with the SOAR/Splunk integration and the uniqueness of event_id per event. - With this technique, you ensure to have a safe workflow to avoid missing events in case of temporary issues on the Splunk side and/or delayed execution of the SOAR Export job. :: index=trackme_notable tenant_id=* priority=* ``` Allows overlap and use a subsearch benefiting from the SOAR/Splunk integration to avoid missing events in case of temporary issues on the Splunk side and/or delayed execution of the SOAR Export job ``` | search NOT [ search index="phantom_artifact" container_label="trackme notable" | fields cef.event_id | rename cef.event_id as event_id | table event_id | format ] ``` anonaly_reason is a native list (mvfield), if the search runs in the TrackMe namespace, TrackMe does this for, otherwise you need to handle it explicitly ``` | eval anomaly_reason=coalesce(anomaly_reason, 'anomaly_reason{}') | fields - anomaly_reason{} ``` note: properties fields depend on the context in TrackMe, such as the type of the component, you do not necessary need to include these but doing so allows you to decide to so in the SOAR Export app field mapping at a later step ``` | table tenant_id, keyid, event_id, object, object_category, state, priority, anomaly_reason, status_message, drilldown_link, properties* | foreach * [ eval <> = mvdedup('<>') ] | fields * .. image:: img_v2/admin_trackme_app_on_soar/report_forward001.png :alt: report_forward001.png :align: center :width: 1200px :class: with-border .. image:: img_v2/admin_trackme_app_on_soar/report_forward002.png :alt: report_forward002.png :align: center :width: 1200px :class: with-border Create and configure the Event Forwarding Rule in SOAR Export ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ **In the SOAR Export App, create a new Event Forwarding Rule:** - Name: SOAR Forward TrackMe Notable Events - Label: TrackMe Notable - Run every: 5m - Earliest / Latest: -60m / now (if we want to use overlapping with SOAR) .. image:: img_v2/admin_trackme_app_on_soar/soar_forward_rule001.png :alt: soar_forward_rule001.png :align: center :width: 1200px :class: with-border **Choose the severity and sensitivity levels that are relevant to your use case, and configure the field mapping:** .. image:: img_v2/admin_trackme_app_on_soar/soar_forward_rule002.png :alt: soar_forward_rule002.png :align: center :width: 1200px :class: with-border **Map the fields in the SOAR Export app, for TrackMe Notable Events, ensure to map the following fields: (note: you can decide later on to include additional properties fields depending on your use cases)** - tenant_id - keyid - event_id - object - object_category - state - priority - anomaly_reason - status_message - drilldown_link .. image:: img_v2/admin_trackme_app_on_soar/soar_forward_rule003.png :alt: soar_forward_rule003.png :align: center :width: 1200px :class: with-border **Continue the creation, and if you already have TrackMe Notable events making to Splunk, new containers will start to be created in SOAR:** .. image:: img_v2/admin_trackme_app_on_soar/soar_forward_rule004.png :alt: soar_forward_rule004.png :align: center :width: 1200px :class: with-border