SPLK-2003 Apps, Assets, and Playbooks
Apps, Assets, and Playbooks
Detailed list of SPLK-2003 knowledge points
- + Deployment, Installation, and Initial Configuration
- + User Management
- + Apps, Assets, and Playbooks
- + Analyst Queue
- + The Investigation Page
- + Case Management and Workbooks
- + Customizations
- + System Maintenance
- + Introduction to Playbooks
- + Visual Playbook Editor
- + Logic, Filters, and User Interaction
- + Formatted Output and Data Access
- + Modular Playbook Development
- + Custom Lists and Data Routing
- + Configuring External Splunk Search
- + Integrating SOAR into Splunk
- + Custom Coding
- + Using REST
Apps, Assets, and Playbooks Detailed Explanation
1. What’s the Relationship?
Before diving into each part, here’s a quick overview of how they relate:
Apps: These are like “adapters” that connect SOAR to external tools.
Assets: These are specific “configured copies” of apps, with your environment’s settings.
Playbooks: These are the “automated workflows” that use assets to take actions when security events happen.
Think of it like this:
Apps = Software tools
Assets = Configured accounts
Playbooks = Step-by-step instructions that use those tools
2. Apps
What is an App?
An App in Splunk SOAR is a package that lets the platform communicate with an external service (e.g., a threat intelligence platform, firewall, SIEM, or cloud service).
Examples:
VirusTotal: Look up file hashes, URLs, IPs.
Splunk: Run saved searches, fetch logs.
AWS: Start or stop EC2 instances, check IAM roles.
Palo Alto Networks: Block an IP, check firewall status.
What Apps Provide:
Predefined Actions: Each app comes with specific actions you can use in playbooks.
Example actions:
ip reputation(VirusTotal)block user(Active Directory)run query(Splunk)
How to Install Apps:
App Store (Built-in):
Go to Administration > Apps.
Search and click “Install.”
Some apps may require internet access to install this way.
Manual Upload:
Download the
.tgzapp file from Splunkbase or GitHub.Upload it via the SOAR UI.
Then configure it as an asset.
Remember: Apps alone do not perform actions — they need to be configured into Assets.
3. Assets
What is an Asset?
An Asset is a specific, configured instance of an app. It contains all the connection details and credentials needed to talk to the external system.
For example:
The VirusTotal app becomes a “VirusTotal Asset” when you add:
An API Key
A description
Possibly a custom timeout setting
What an Asset Includes:
Authentication Details: API keys, usernames, passwords, or OAuth tokens.
Network Info: IP address, base URL, or port.
Additional Settings: Timeout settings, log levels, optional headers.
Setup Process:
Go to Administration > Assets.
Click “Add Asset.”
Choose an app (e.g., Splunk).
Fill in the required fields like:
Server URL
Authentication method
Role-based access settings
Click Save and Test Connectivity.
Why Assets Matter:
Without an asset, the playbook has no way to interact with the external system.
You can have multiple assets for the same app. For example:
Splunk-Testfor dev logs.Splunk-Prodfor production alerts.
Access Control:
You can limit which users or roles can access each asset.
This helps enforce security policies (e.g., only admins can use the firewall asset).
4. Playbooks
What is a Playbook?
A Playbook is an automated script or flowchart that tells SOAR what to do when something happens. It’s like a robot that follows instructions when an event comes in.
When is a Playbook Triggered?
Automatically: When a new event (container) is ingested.
Manually: When an analyst clicks “Run Playbook.”
Scheduled: Set to run at specific times or intervals.
What Does a Playbook Contain?
Playbooks are built from blocks such as:
Actions: Use an asset to call an external tool.
- E.g., “Run IP reputation check” using VirusTotal.
Conditions / Logic Blocks: Decide what to do based on action results.
- E.g., “If score > 80, mark as malicious.”
Format Blocks: Prepare data for reporting or logging.
Prompts: Ask analysts for input if automation can't decide.
How Are They Built?
Visual Editor: Drag-and-drop interface (easy for beginners).
Python Scripting: Full control for advanced users.
Hybrid: Use visual design with occasional code blocks for flexibility.
Advanced Features:
Version Control: Save and publish changes in different versions.
Modularity: Use smaller playbooks inside larger ones.
Input/Output Handling: Pass data between blocks or between parent/child playbooks.
Summary
| Component | Purpose | Key Function |
|---|---|---|
| App | Enables integration | Provides the actions SOAR can call |
| Asset | Custom instance of an app | Stores credentials and config for real use |
| Playbook | The automation logic | Uses assets to respond to security events |
Apps, Assets, and Playbooks (Additional Content)
1. Asset Tagging and Group Management
In environments where dozens or hundreds of assets are configured, Splunk SOAR provides support for tags and asset groups to help with organization and filtering.
a. Tags for Assets
Admins can assign tags to assets to classify them by:
Function (e.g., Firewall, Intel, SIEM)
Environment (e.g., Dev, Prod)
Owner or Team (e.g., SOC Tier 1, Engineering)
These tags are user-defined keywords that improve searchability and filtering in the UI.
b. Use Case in Exams
Some questions may ask:
“How can analysts quickly locate a specific AWS asset configured for the Dev environment?”
Correct approach:
Use the filter panel in the Assets section, and apply the relevant tag like "Dev" or "AWS".
c. Asset Groups (Not a default concept, but possible via tagging logic)
Although SOAR does not support "asset groups" as a standalone feature, you can simulate groups by assigning the same tag to multiple assets.
For example:
- Tag several Splunk assets as
"Monitoring"to group them logically.
2. Playbook Debugging and Testing Features
Understanding how to troubleshoot and validate playbooks is essential — both in real-world automation and for exam scenarios.
a. Test Mode
Playbooks can be executed in test mode from the UI:
Choose a sample container or event
Run the playbook interactively
This allows analysts to observe each block’s behavior and review outputs step by step.
b. Debugging with phantom.debug()
Inside code blocks, use:
phantom.debug("Variable value: {}".format(variable_name))This logs the value to the playbook log, viewable via the Investigation page or system logs (
playbook.log).
c. Playbook Execution Log
Each action or block generates output logs that include:
Input parameters used
Return status (success/failure)
Returned data (such as JSON or lists)
You can see this in:
The timeline of the container
The “Execution” tab in the playbook designer
d. Exam Relevance
“What’s the best way to identify why a playbook failed at a specific step?”
Correct answer: Review the debug logs and output of that specific block or use test mode.
3. App Categories – Types and Use Cases
Apps in Splunk SOAR act as connectors to external systems and are categorized based on the type of service they integrate with. Understanding these types helps you map use cases to the correct integration.
a. Security Intelligence Apps
Used to enrich indicators or evaluate threat intelligence.
Examples:
VirusTotal
OTX (Open Threat Exchange)
Recorded Future
Typical Actions:
IP/domain/file reputation lookup
Threat score evaluation
Use Case:
“Is this IP part of a known botnet?”
b. Network and Firewall Apps
Used to control or monitor network security infrastructure.
Examples:
Palo Alto Networks
Cisco Firepower
Fortinet
Typical Actions:
Block IP
Retrieve logs
Add firewall rule
Use Case:
“Quarantine a host or block outbound traffic.”
c. Cloud Service Apps
Used to manage and secure cloud infrastructure.
Examples:
AWS
Azure
GCP
Typical Actions:
Stop/start EC2 instance
Check IAM role usage
Audit cloud logs
Use Case:
“Disable a cloud user account or stop a suspicious VM.”
d. Tooling / DevOps / ITSM Apps
Used for integration with operations and workflow platforms.
Examples:
JIRA
ServiceNow
Slack
Splunk
Typical Actions:
Create ticket
Add comment
Run Splunk search
Send notification
Use Case:
“Create a Jira issue based on a phishing case,” or “Send Slack message to SOC team.”
Summary – Extended Knowledge Table
| Feature | Purpose |
|---|---|
| Asset Tags | Organize and filter assets by environment, use case, or team |
| Playbook Test Mode | Run playbooks against test containers for step-by-step verification |
| Debugging | Use phantom.debug() to inspect variables and flow |
| Security Apps | Enrich indicators with external threat intelligence |
| Firewall/Network Apps | Control endpoints or block traffic |
| Cloud Apps | Secure and audit cloud services (AWS, Azure) |
| ITSM/Tooling Apps | Integrate SOAR with workflow tools like JIRA and Slack |
Frequently Asked Questions
What is the functional difference between an app and an asset in Splunk SOAR?
An app provides integration logic and actions for interacting with external systems, while an asset represents a configured instance of that integration with connection details.
Apps contain the automation code that defines actions such as querying threat intelligence platforms, sending emails, or creating tickets in external systems. However, apps do not include connection credentials or environment-specific configuration. Assets provide those operational details, including API keys, hostnames, authentication credentials, and connection parameters. When a playbook executes an action, it references an asset that uses the functionality provided by the app. This separation allows one app to support multiple assets, such as multiple email servers or security platforms, enabling flexible and scalable integration design.
Demand Score: 74
Exam Relevance Score: 82
Why must an asset be configured before a playbook can execute actions using an app?
A playbook requires an asset because the asset provides the connection configuration and credentials needed for the app to interact with an external system.
Apps define available actions but cannot execute them without environment-specific configuration. Assets supply operational parameters such as server addresses, authentication tokens, and API endpoints. When a playbook executes an action, the system uses the asset configuration to establish the connection and perform the operation. If no asset is configured or referenced, the action cannot run because the system lacks the required connection details. This design separates reusable integration logic from deployment-specific configurations.
Demand Score: 66
Exam Relevance Score: 78
How do labels influence playbook execution in Splunk SOAR?
Labels determine which playbooks are automatically triggered when a container is created.
Containers represent security events or incidents within SOAR. Each container can be assigned a label that categorizes the event type, such as phishing, malware, or endpoint alert. Playbooks are configured to trigger automatically when containers with specific labels are created. This mechanism allows the platform to route different types of incidents to appropriate automation workflows. For example, a phishing playbook may run automatically when an email ingestion asset creates a container labeled “phishing.” Proper label configuration ensures the correct automation logic is executed for each event type.
Demand Score: 63
Exam Relevance Score: 80
Why are SLAs configured for labels in Splunk SOAR?
SLAs define investigation response timelines associated with specific event labels.
When a container is assigned a label, the system can apply service-level agreements that specify response deadlines for analysts. These SLAs establish expectations for how quickly incidents must be acknowledged, investigated, or resolved. The system tracks SLA compliance through metrics and dashboards, helping organizations monitor operational performance. Configuring SLAs per label ensures that high-priority events such as malware outbreaks receive faster response requirements compared to lower-risk alerts. This mechanism helps SOC teams prioritize investigations and maintain operational accountability.
Demand Score: 58
Exam Relevance Score: 70
