Skip to main content

How to integrate with Splunk SOAR

Splunk SOAR is a Security Orchestration, Automation, and Response (SOAR) system. The Splunk SOAR platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes, and tools together including integrating with Cado.

For more information, see our blog on integrating with Splunk SOAR, and the Splunkbase page for the Cado App.

Getting Started

Before getting started, please see the Integrations Overview > page for general instructions on setting up the Cado platform for integration with third-party tools.

Below are the instructions for setting up the Cado and Splunk SOAR integration:

  1. Create an API Access Key
  2. Install and configure the Cado app in Splunk SOAR
  3. Set your configuration variables
  4. Test your connection
  5. Setup your Playbooks

Create an API Access Key

In order to allow third-party services to authenticate and interact with a Cado instance, you will need to Create an API Access Key for use within Splunk SOAR.

tip

In addition to the API Access Key, please ensure that the Splunk SOAR platform has access (network, firewall, etc) to make API calls to the Cado platform.

Install and Configure the Cado App

In order to install and configure the Cado Splunk SOAR App, you will need the below information:

  • The latest version of the Cado Splunk SOAR App Add-on from the Splunkbase Marketplace
  • The URL to Cado, followed by /api/v2
  • The API Access Key

To install the Cado App, from within Splunk SOAR, navigate to Apps and click the INSTALL APP button in the top right of the page, then upload the Cado tarball and click INSTALL.

If you have successfully installed the Cado App you will see it appear under your Unconfigured Apps. Next, do the following:

  1. Click CONFIGURE NEW ASSET on the Cado App.
  2. Fill in the Asset Info fields with a name and description.
  3. Navigate to Asset Settings
  4. input your URL for the Cado platform
  5. input your Access token you generated earlier.
  6. Click SAVE and TEST CONNECTIVITY.

If all is successful, you should see a Test Connectivity Passed message.

Configuration Variables

The below configuration variables are required to operate Cado via the Splunk SOAR App. These are specified when configuring an asset in Splunk SOAR.

VARIABLEREQUIREDTYPEDESCRIPTION
base_urlrequiredstringURL for the Cado Platform e.g. https://cadoresponseurl/api/v2
access_tokenrequiredpasswordAccess token
default_projectoptionalnumericA project ID in Cado that can be used if a project ID is not specified in an action.
default_bucketoptionalstringA default bucket in Cado
default_regionoptionalstringAWS region, e.g. us-east-1, that can be used if a region is not specified in an action.

When running Actions, if the above inputs are required, they would be entered automatically into the response fields, but you are still able to replace them if you wish to use different values.

Test your connection

When Cado is configured, you can validate your connection to make sure everything is set up correctly.

Navigate to Home -> Apps -> Cado Asset -> Asset Settings. If you haven't already, Edit and enter the Cado URL and Secret Key. Save and Test Connectivity to ensure everything is connected as expected.

If the following was successful, then you have correctly setup Splunk SOAR to interact with the Cado API.

Atomic Actions

Atomic Actions are the basic actions that can be chained together in Playbooks that can be run to perform a specific task or workflow.

List Projects

  • Name: list projects
  • Identifier: list_projects
  • Type: Investigate
  • Description: List projects that are currently active in the Cado platform.

Action Parameters

No Parameters required for this action.

Action Output

DATA PATHTYPEEXAMPLE VALUE
action_result.data.*.*.idstring1
action_result.data.*.*.case_namestringMy First Project
action_result.statusstringsuccess

List EC2 instances

  • Name: list instances
  • Identifier: list_instances
  • Type: Investigate
  • Description: List EC2 instances that are currently visible in the Cado platform.

Action Parameters

PARAMETERREQUIREDDESCRIPTIONTYPEEXAMPLE VALUE
project_idrequiredProject identifier as listed in the output of "list projects" actionnumeric1

Action Output

DATA PATHTYPEEXAMPLE VALUE
action_result.data.*.*.regionstringus-east-1
action_result.data.*.*.idstringi-1234567890abcdef0
action_result.data.*.*.instance_namestringCadoResponse-Test
action_result.data.*.*.instance_typestringt3a.2xlarge
action_result.statusstringsuccess
action_result.parameter.project_idnumeric1

List S3 buckets

  • Name: list buckets
  • Identifier: list_buckets
  • Type: Investigate
  • Description: List S3 buckets that are currently visible to the Cado platform.

Action Parameters

PARAMETERREQUIREDDESCRIPTIONTYPEEXAMPLE VALUE
project_idrequiredProject identifier as listed in the output of "list projects" actionnumeric1

Action Output

DATA PATHTYPEEXAMPLE VALUE
action_result.data...bucket_namestringtest-bucket
action_result.parameter.project_idnumeric1
action_result.statusstringsuccess

List Pipelines

  • Name: list pipelines
  • Identifier: list_pipelines
  • Type: Investigate
  • Description: List pipelines for specified project in Cado platform.

Action Parameters

PARAMETERREQUIREDDESCRIPTIONTYPEEXAMPLE VALUE
pipeline_idrequiredPipeline identifier as listed in the output of "list pipelines" actionnumeric6

Action Output

DATA PATHTYPEEXAMPLE VALUE
action_result.data.*.pipelines.*.pipeline_idnumeric6
action_result.data.*.pipelines.*.namestringAcquiring i-1234567890abcdef0
action_result.data.*.pipelines.*.pipeline_typestringAcquisition
action_result.data.*.pipelines.*.evidence_idnumeric4
action_result.data.*.pipelines.*.summary.totalnumeric18
action_result.data.*.pipelines.*.summary.failurenumeric0
action_result.data.*.pipelines.*.summary.pendingnumeric0
action_result.data.*.pipelines.*.summary.runningnumeric0
action_result.data.*.pipelines.*.summary.successnumeric18
action_result.data.*.pipelines.*.summary.cancellednumeric0
action_result.data.*.pipelines.*.terminatedstringtrue
action_result.parameter.project_idnumeric1
action_result.statusstringsuccess

Get a pipeline

  • Name: get pipeline
  • Identifier: get_pipeline
  • Type: Investigate
  • Description: Get pipeline details for specified pipeline ID in Cado platform.

Action Parameters

PARAMETERREQUIREDDESCRIPTIONTYPEEXAMPLE VALUE
pipeline_idrequiredPipeline identifier as listed in the output of "get pipelines" actionnumeric6

Action Output

DATA PATHTYPEEXAMPLE VALUE
action_result.data.*.pipeline_idnumeric6
action_result.data.*.subtasks.*.namestringAcquisition: Create a processing pipeline for each copied EC2 volume
action_result.data.*.subtasks.*.start_timenumeric1633025565.147805
action_result.data.*.subtasks.*.finish_timenumeric1633031638.334756
action_result.data.*.subtasks.*.execution_durationnumeric6073
action_result.data.*.subtasks.*.statestringSUCCESS
action_result.parameter.pipeline_idnumeric6
action_result.statusstringsuccess

Loop Until Terminated

  • Name: loop pipeline
  • Identifier: loop_pipeline
  • Type: Investigate
  • Description: Get pipeline details every 60 seconds for specified pipeline ID in Cado platform until it is terminated.

Action Parameters

PARAMETERREQUIREDDESCRIPTIONTYPEEXAMPLE VALUE
pipeline_idrequiredPipeline identifier as listed in the output of "get pipelines" actionnumeric6

Action Output

DATA PATHTYPEEXAMPLE VALUE
action_result.data.*.pipeline_idnumeric6
action_result.data.*.subtasks.*.namestringAcquisition: Create a processing pipeline for each copied EC2 volume
action_result.data.*.subtasks.*.start_timenumeric1633025565.147805
action_result.data.*.subtasks.*.finish_timenumeric1633031638.334756
action_result.data.*.subtasks.*.execution_durationnumeric6073
action_result.data.*.subtasks.*.statestringSUCCESS
action_result.parameter.pipeline_idnumeric6
action_result.statusstringsuccess

Create Project

  • Name: create project
  • Identifier: create_project
  • Type: n/a
  • Description: Create a project in Cado platform.

Action Parameters

PARAMETERREQUIREDDESCRIPTIONTYPEEXAMPLE VALUE
project_namerequiredUser provided Project namestringMy First Project

Action Output

DATA PATHTYPEEXAMPLE VALUE
action_result.statusstringsuccess
action_result.data.*.idnumeric1
action_result.parameter.project_namestringMy First Project
action_result.data.*.msgstringCreated

Capture EC2 instance

  • Name: capture instance
  • Identifier: capture_instance
  • Type: n/a
  • Description: Capture a specific EC2 instance for processing and analysis on the Cado platform.

Action Parameters

PARAMETERREQUIREDDESCRIPTIONTYPEEXAMPLE VALUE
bucketrequiredS3 bucket name as listed in the output of "list bucket" actionstringtest-bucket
regionrequiredAWS instance region as listed in the output of "list instances" actionstringus-east-1
project_idrequiredProject identifier as listed in the output of "list projects" actionnumeric1
instance_idrequiredAWS instance ID as listed in the output of "list instances" actionstringi-1234567890abcdef0

Action Output

DATA PATHTYPEEXAMPLE VALUE
action_result.data.*.pipelines.pipeline_idnumeric1
action_result.data.*.namestringAcquiring i-1234567890abcdef0
action_result.parameter.project_idnumeric1
action_result.parameter.regionstringus-east-1
action_result.parameter.instance_idstringi-1234567890abcdef0
action_result.parameter.bucketstringtest-bucket
action_result.statusstringsuccess

Capture S3 bucket

  • Name: capture bucket
  • Identifier: capture_bucket
  • Type: n/a
  • Description: Capture contents of a specific S3 bucket processing and analysis on the Cado platform.

Action Parameters

PARAMETERREQUIREDDESCRIPTIONTYPEEXAMPLE VALUE
bucketrequiredS3 bucket name as listed in the output of "list bucket" actionstringexample-bucket
project_idrequiredProject identifier as listed in the output of "list projects" actionnumeric1

Action Output

DATA PATHTYPEEXAMPLE VALUE
action_result.data.*.*.pipelines.pipeline_idstring6
action_result.data.*.*.pipelines.project_idstring1
action_result.data.*.*.pipelines.evidence_idstring4
action_result.data.*.*.pipelines.pipeline_typestringacquisition
action_result.statusstringsuccess
action_result.parameter.bucketstringtest-bucket
action_result.parameter.project_idnumeric1

Playbooks

If you have a good grasp of the basics of Splunk SOAR, feel free to skip this section.

To create a new playbook, navigate to Playbooks from the Splunk SOAR dashboard. Click the + PLAYBOOK button in the top right.

Using the graphic playbook editor, you can drag and drop the required elements into place from the blue nodes, and configure them one by one as you place them, until you have a playbook ready.

Splunk SOAR Playbook

Playbooks are made up of multiple blocks that carry out a workflow. There are 3 main types of blocks:

  • Execute actions (these include the atomic actions detailed above)
  • Process filters
  • Human input

The example below makes use of both execute actions and human input. Prompts pop up and asks the user for an input. This input can then be passed to the actions as action parameters and act accordingly.

Capture EC2 Instance

This section covers a quick tutorial in creating a basic workflow (or playbook in Splunk SOAR terms) that:

  • Creates a new Project
  • Triggers an EC2 Disk Acquisition
  • Loops over a pipeline until it has been terminated

Prompt: Set Project Name

From the START block you can drag the blue node to add a new block. Select the Prompt option. Under the Advance Settings -> General Settings you can set a custom name, i.e. Set Project Name. You can include a Message, so the user knows what to include.

Action: Creating the Project

Drag the blue node from the prompt you just added to add an action. Select your configured Cado App to view the available actions you can carry out. You will want the create project action. Again here you can change the action name under Advanced Settings.

You can configure the action by clicking the Cado Asset and entering the output from the previous prompt into the project_name field. Do this by clicking on the field where a sidebar will pop up with a list of blocks currently used in the playbook. Select the prompt you just created, e.g. Set_Project_Name. This will open another sidebar with the data path outputs generated from the prompt. Select summary.responses.0. SAVE and the action will be created.

Action: List S3 Buckets

From the last action add the list bucket action. Configure the project_id to be the ID output from the create project action, i.e. create_project_1:action_result.data.*.id

Prompt: Set S3 Bucket

Add a new prompt block from the previous action called Set S3. Click the ADD MESSAGE PARAMETERS button. This will add 0 to the message which acts as a placeholder for a message parameter. In the message parameter field select the list bucket action you just created followed by the bucket_name action results i.e. list_bucket_1:action_result.data.*.*.bucket_name.

Action: List EC2 Instances

Add the list instances action next with the project_id field containing the ID output from the create project action, i.e. create_project_1:action_result.data.*.id.

Prompt: Set EC2 Instance

Similar to the Set S3 prompt, add a new prompt block with 2 message parameters. The first being the list instances region (list_instances_1:action_result.data.*.*.region) and the second being the list instances instance ID (list_instances_1:action_result.data.*.*.id).

In the responses part of the configuration for the action add the first to be Region and the second to be Instance ID.

Action: Capture EC2 Instance

Next add the capture instance action, this will need 4 parameters configured. project_id will take the ID result from the create project action. Instance ID and region will take their respective responses from the previous prompt and bucket will take the response from the set S3 prompt.

  • project_id: create_project_1:action_result.data.*.id
  • instance_id: Set_EC2:action_result.summary.responses.1
  • region: Set_EC2:action_result.summary.responses.0
  • bucket: Set_S3:action_result.summary.responses.0

Action: Loop Pipeline until Terminated

Add the final action which will be the loop pipeline action. Fill in the pipeline_id field with the name result from the capture instance action: capture_instance_1:action_result.data.*.name.

Connect this final action block to the END block and the playbook is complete. Be sure to SAVE using the top right button, and then you can run your playbook.