Additional Contributor: Kenneth Bouchard
The three main goals of the Cisco Security Operations Centre (SOC) at GovWare:
- To protect the conference network
- To educate customers, partners and attendees of a potential security risk
- To innovate with continuous evolution
You may remember from the previous blog at the Cisco Live San Diego 2025 SOC that contributors Austin Pham and Tony Iacobelli built a dashboard to identify attendees and exhibiters plain text credentials in network traffic. This can lead to potential vulnerabilities such as unauthorized access to systems, data breaches, or network device compromise. Using a python script, they were able to automatically notify them via email to visit the SOC for guidance on resolving clear-text password transmission.
Building on their simple yet highly effective solution they built, we decided to use one of the searches in the dashboard to create a detection inside of Splunk Enterprise Security (ES). This is where the real power emerges: combining ES with Splunk SOAR enabled us to fully automate and track the entire incident response process inside of ES, transforming a manual process into a seamless end-to-end orchestration.
Before we dive into what we did, we should note that Splunk ES was upgraded from 8.1 to 8.2.3 and paired with Splunk SOAR. Some of the innovative simple solutions baked into this we will be using to solve our use case.
First things first: we’ve got a bit of Frankenstein in our veins, and I mean that in the most flattering way. Austin and Tony created a complex search that was not simple to construct, but it gave me a solid foundation to build my finding upon. The beauty of it? With a basic understanding of Splunk anyone can make simple changes to pass the fields needed to create a finding but also create the correct entity/risk_object fields. Those findings and fields we identify are critical to downstream automation.
Below is what the detections looked like inside of ES.
Next, we will talk about the playbook.
With Splunk ES and SOAR paired, the workflow between products is seamless for SOC analysts and easier for SOAR admins to orchestrate incident automation from ES.
The Playbook consisted of two blocks. The first block used an out of the box internal_smtp action to send an email. We populated the recipient field with the affected user’s email address from the entity/risk_object field from our finding and included a standard subject line and body.
The second block was an ES API block to “update finding or investigation” block, one of 45 ES API actions to interact with Splunk ES as part of pairing with SOAR. With that block we set the disposition to “Benign Positive – Suspicious But Expected” and changed the status from New to Closed.
Our last step was to create an Automation Rule a new feature in ES 8.x . With this we were able to connect our finding “Threat-SE Endace Clear Text Password Detection – Rule” with our playbook “Email User with Clear Text PW”. Now, our end-to-end use case is handled without the SOC analyst’s intervention, except for review.
This is the email output that occurs when the playbook is completed.
With this automation in place, it gave time back to our Tier 1 & 2 analysts to focus on other Incident investigations.
Check out the other blogs by my colleagues in the GovWare SOC.
About GovWare
GovWare Conference and Exhibition is the region’s premier cyber information and connectivity platform, offering multi-channel touchpoints to drive community intel sharing, training, and strategic collaborations.
A trusted nexus for over three decades, GovWare unites policymakers, tech innovators, and end-users across Asia and beyond, driving pertinent dialogues on the latest trends and critical information flow. It empowers growth and innovation through collective insights and partnerships.
Its success lies in the trust and support from the cybersecurity and broader cyber community that it has had the privilege to serve over the years, as well as organisational partners who share the same values and mission to enrich the cyber ecosystem.
We’d love to hear what you think! Ask a question and stay connected with Cisco Security on social media.
Cisco Security Social Media
Deixe o seu comentário