TrackMe App on SOAR: Automate and interact with TrackMe from Splunk SOAR

About TrackMe App on SOAR

  • TrackMe App on SOAR is an application for Splunk SOAR that allows you to automate tasks and interact with TrackMe, transparently from your SOAR environments.

  • You can download TrackMe App on SOAR from our release WebSite: https://downloads.trackme-solutions.com/trackme-app-on-soar or our GitHub repository: https://github.com/trackme-limited/trackme-app-on-soar

  • With the TrackMe App on SOAR, you can automate various actions in TrackMe, such as retrieving TrackMe entities realtime statuses, updating their key behaviour parameters, or interacting with TrackMe features such as the Machine Learning capabilities.

  • Working in collaboration with TrackMe, SOAR users can leverage the TrackMe App on SOAR to extend and enrich the workflow, and fulfill any kind of sophisticated requirements.

Overview of the TrackMe App on SOAR

The TrackMe App on SOAR documentation can be consulted directly in SOAR once the application has been installed:

screen001.png

Overview of a TrackMe Asset in SOAR:

screen002.png

You can also consult the README from our GitHub repository:

SOAR TrackMe actions overview

See the TrackMe App on SOAR builtin documentation for a complete and update to date list of actions (or in the README from our GitHub repository):

screen003.png

Each action makes use of the TrackMe API endpoints to interact with TrackMe, and provide various options, you can for instance update the key parameters of TrackMe Entities:

screen004.png screen005.png

SOAR TrackMe usage example

In the following example, we leverage the TrackMe App on SOAR to update a TrackMe entity Acknowledgement status:

screen006.png

Forwarding TrackMe Notable Events to SOAR

The ideal and recommended configuration is to forward TrackMe Notable Events to Splunk SOAR, using the Splunk App for SOAR Exports, the following documentation details step by step the best practices configuration.

Pre-requisites

Splunk App for SOAR Export

The Splunk App for SOAR export should be installed and configured in your Splunk environment, so you can forward Splunk events to SOAR, see:

Splunk App for SOAR and Splunk/SOAR integration

You should also ideally have already configured Splunk SOAR to forward all events to your Splunk environment, this is notably valuable to allow having overlap in your SOAR forwarding rule and ensure that you can never miss any event that should be forwarded to SOAR.

Create a new Label in Splunk SOAR

You should want to create a new label for TrackMe Notable Events in SOAR:

  • Name: TrackMe Notable

soar_label.png

Create the Splunk report for TrackMe Notable Events

Start by creating a fresh new report that will be called in the Splunk App for SOAR Export:

  • Name: SOAR Forward TrackMe Notable Events

  • Share: the report must be shared to globally so it can be called from the SOAR Export app

  • Earliest / Latest: -60m / now (if we want to use overlapping with SOAR)

  • code:

Hint

The following code is an example, you may need to adjust it to your specific environment and use case.

  • Ensure to update the subsearch and the label if you choose a different label for TrackMe Notable Events.

  • The subsearch technique is used in combination with the SOAR/Splunk integration and the uniqueness of event_id per event.

  • With this technique, you ensure to have a safe workflow to avoid missing events in case of temporary issues on the Splunk side and/or delayed execution of the SOAR Export job.

index=trackme_notable tenant_id=* priority=*
``` Allows overlap and use a subsearch benefiting from the SOAR/Splunk integration to avoid missing events in case of temporary issues on the Splunk side and/or delayed execution of the SOAR Export job ```
| search NOT [ search index="phantom_artifact" container_label="trackme notable" | fields cef.event_id | rename cef.event_id as event_id | table event_id | format ]
``` anonaly_reason is a native list (mvfield), if the search runs in the TrackMe namespace, TrackMe does this for, otherwise you need to handle it explicitly ```
| eval anomaly_reason=coalesce(anomaly_reason, 'anomaly_reason{}') | fields - anomaly_reason{}
``` note: properties fields depend on the context in TrackMe, such as the type of the component, you do not necessary need to include these but doing so allows you to decide to so in the SOAR Export app field mapping at a later step ```
| table tenant_id, keyid, event_id, object, object_category, state, priority, anomaly_reason, status_message, drilldown_link, properties*
| foreach * [ eval <<FIELD>> = mvdedup('<<FIELD>>') ]
| fields *
report_forward001.png report_forward002.png

Create and configure the Event Forwarding Rule in SOAR Export

In the SOAR Export App, create a new Event Forwarding Rule:

  • Name: SOAR Forward TrackMe Notable Events

  • Label: TrackMe Notable

  • Run every: 5m

  • Earliest / Latest: -60m / now (if we want to use overlapping with SOAR)

soar_forward_rule001.png

Choose the severity and sensitivity levels that are relevant to your use case, and configure the field mapping:

soar_forward_rule002.png

Map the fields in the SOAR Export app, for TrackMe Notable Events, ensure to map the following fields: (note: you can decide later on to include additional properties fields depending on your use cases)

  • tenant_id

  • keyid

  • event_id

  • object

  • object_category

  • state

  • priority

  • anomaly_reason

  • status_message

  • drilldown_link

soar_forward_rule003.png

Continue the creation, and if you already have TrackMe Notable events making to Splunk, new containers will start to be created in SOAR:

soar_forward_rule004.png