Advanced SOAR Implementation

This 13.5 hour course is intended for experienced SOAR consultants who will be responsible for complex SOAR solution development, and will prepare the attendee to integrate SOAR with Splunk as well as develop playbooks requiring custom coding and REST API usage. Students will develop a custom solution with SOAR, Splunk and custom Python code. The labs provide requirements for the solution; the student must plan and execute the development.

Description

  • Using external search in SOAR
  • Sending events from Splunk to SOAR
  • Updating Splunk events from SOAR
  • Running SOAR reports on Splunk
  • Executing SOAR playbooks from Splunk
  • Searching Splunk from SOAR playbooks
  • Writing custom code in SOAR playbooks
  • Using the SOAR REST API in Phantom playbooks

Cancellation Policy

Requests for cancellations or rescheduling of live instructor-led training must be received at least 5 business days prior to the start of class for a full refund. You agree to pay the full list price for each registered course (irrespective of the amount paid) for failing to cancel at least five working days prior to the course start date and/or failing to attend the complete course (all days).

Duration

13.5 Hours

How is this training usually structured?

Online training is typically structured in 3,4, or 4.5 hour long half-day sessions or 6-hour full-day sessions with an hour-long break for lunch.

Objectives

Module 1 – Implementing Splunk and SOAR

  • Review of SOAR UI and concepts
  • Describe interactions between Splunk and SOAR
  • Identify key concepts and data flows
  • Pre-requisites for integration

Module 2 – Configuring External Splunk Search

  • Describe the benefits of externalizing search to Splunk
  • Configure the SOAR instance for externalization
  • Configure the Splunk instance for externalization
  • Use the Splunk app for SOAR Reporting

Module 3 – Sending Splunk Events to SOAR

  • Configure the SOAR Add-on for Splunk
  • Map CIM fields to CEF
  • Send Enterprise Security notables to SOAR
  • Automatically trigger SOAR playbooks for Splunk notables

Module 4 – Accessing Splunk from SOAR

  • Install and configure the SOAR App for Splunk
  • Ingest Splunk events into SOAR
  • Use Splunk search from playbooks
  • Update Splunk notable events

Module 5 – Custom Coding in Playbooks

  • SOAR coding best practices
  • Writing, using and managing custom functions
  • Using the SOAR API in custom code
  • Store and retrieve persistent data

Module 6 – Using SOAR REST

  • Use Django queries to search for data in SOAR
  • Use REST to access SOAR data
  • Use the HTTP app to execute REST from playbooks

Prerequisites

Attendees for this class must ensure that they meet all course pre-requisites. This is a challenging, advanced class that draws on technical knowledge from many areas in Splunk and SOAR, and the demanding labs and course schedule leave little time to learn the basics.

Classes:

  • Experience with Python programming
  • Adminstering Splunk SOAR
  • Developing Splunk SOAR Playbooks
  • Enterprise Splunk Data Administration
  • Enterprise Splunk System Administration
  • Either Using or Administering Splunk Enterprise Security

What happens when I register?

Once you register, we will send you a confirmation email that includes the information you will need to attend this training.

What is the price of this training?

This training is priced at $1500.00 USD per participant.

We accept payments by credit card (VISA, MasterCard, American Express, and Discover Card) or Training Credits. Note that ILT courses must start before the training credit expiration date. If you would like to pay by purchase order, please contact your account team for a quote.

What language is this class taught in?

This class is taught in English.

Where is the training taking place?

This training is taking place in AMER - Eastern Standard Time - Virtual.

Who is providing this training?

This class is being delivered by a Splunk ALP - ClearShark Services, Inc.